Abstract
Cookies are used as authentication tokens after successfully validating users by web applications. As they are stored on the client’s side, it makes them vulnerable to hijacking, stealing, and unauthorized distribution. There are methods in the literature that are developed to protect cookies. However, cookie stealing and impersonating is still a widely adopted practice. Session cookies are used so that the user does not have to log in again and again. When an attacker accesses these cookies, he/she can join the user’s active session as well; this phenomenon is called cookie hijacking. Here, we are proposing a model using the concept of blockchain, non-fungible tokens and smart contracts, which prevent the attacker from performing unauthorized tasks even when an individual gets access to the user’s session cookies. The web server uses the unique identification address of the user to generate a session ticket which would represent the ownership of the verified user. Whenever, a request is made, it gets authenticated by the blockchain; thereby making the cookie verification decentralized. This method ultimately aims to prevent unauthorized users from performing tasks through a user’s active session, which will decrease identity stealing and imitation through cookies.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ahmad, A., Maynard, S.B., Shanks, G.: A case analysis of information systems and security incident responses. Int. J. Inf. Manage. 35(6), 717–723 (2015)
Sipior, J.C., Ward, B.T., Mendoza, R.A.: Online privacy concerns associated with cookies, flash cookies, and web beacons. J. Internet Commer. 10(1), 1–16 (2011)
Sivakorn, S., Polakis, I., Keromytis, A.D.: The cracked cookie jar: HTTP cookie hijacking and the exposure of private information. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 724–742. IEEE (2016)
Putthacharoen, R., Bunyatnoparat, P.: Protecting cookies from cross site script attacks using dynamic cookies rewriting technique. In:13th International Conference on Advanced Communication Technology (ICACT2011), pp. 1090–1094. IEEE 92011)
Singh, T.: Prevention of session hijacking using token and session id reset approach. Int. J. Inf. Technol. 12, 781–788 (2020)
Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. (TOIT) 12(1), 1–24 (2012)
Kiviat, T.I.: Beyond bitcoin: Issues in regulating blockchain transactions’. Duke Law J. 65, 569 (2015)
Regner, F., Schweizer, A., Urbach, N.: NFTs in practice – non-fungible tokens as core component of a blockchain-based event ticketing application. In: Proceedings of the Fortieth International Conference on Information Systems, Munich, Germany, pp. 1–17 (2019)
Alkhajeh, A.: Blockchain and Smart Contracts: the Need for Better Education. Rochester Institute of Technology (2020)
Shah, K.A., Jinwala, D.C.: Privacy preserving, verifiable and resilient data aggregation in grid-based networks. Comput. J. 61(4), 614–628 (2018)
Shah, K., Jinwala, D.: Privacy preserving secure expansive aggregation with malicious node identification in linear wireless sensor networks. Front. Comput. Sci. 15(6), 1–9 (2021). https://doi.org/10.1007/s11704-021-9460-6
Shah, K., Patel, D.: Exploring the access control policies of web-based social network. In: Kumar, A., Paprzycki, M., Gunjan, V.K. (eds.) ICDSMLA 2019. LNEE, vol. 601, pp. 1614–1622. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-1420-3_168
Helling, B.: Web-site sensitivity to privacy concerns: collecting personally identifiable information and passing persistent cookies. First Monday (1998)
Lepore, C., Ceria, M., Visconti, A., Rao, U.P., Shah, K.A., Zuanolini, L.: A survey on blockchain consensus with a performance comparison of PoW, PoS and pure PoS. Mathematics 8(10), 1782 (2020)
Folk-Sullivan, B.: Feasibility Study of the Usage of Blockchain Technology in Online Privacy Protection (2018)
Monrat, A.A., Schelén, O., Andersson, K.: A survey of blockchain from the perspectives of applications, challenges, and opportunities. IEEE Access 7, 117134–117151 (2019)
Shrier, D., Weige, W., Pentland, A.: Blockchain & infrastructure (identity, data security). Mass. Inst. Technol. Connect. Sci. 1(3), 1–19 (2016)
Cahn, A., Alfeld, S., Barford, P., Muthukrishnan, S.: An empirical study of web cookies. In: Proceedings of the 25th International Conference on World Wide Web, pp. 891–901 (2016)
Libert, T.: Exposing the hidden web: An analysis of third-party HTTP requests on 1 million websites. arXiv preprint arXiv:1511.00619(2015)
Miyazaki, A.D.: Online privacy and the disclosure of cookie use: effects on consumer trust and anticipated patronage. J. Public Policy Mark. 27(1), 19–33 (2008)
Bal, M., Ner, C.: NFTracer: a Non-Fungible token tracking proof-of-concept using Hyperledger Fabric. arXiv preprint arXiv:1905.04795 (2019)
Talamo, E., Pennacchi, A.: IdToken: a new decentralized approach to digital identity. Open Identity Summit 2020 (2020)
Jones, M.L.: Cookies: a legacy of controversy. Internet Histories 4(1), 87–104 (2020)
Park, J.S., Sandhu, R.: Secure cookies on the web. In: IEEE Internet Computing, vol. 4, issue number 4, pp. 36–44, July – August 2000. https://doi.org/10.1109/4236.865085
Sivakorn, S., Keromytis, A.D., Polakis, J.: That’s the way the cookie crumbles: evaluating HTTPS enforcing mechanisms. In: Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society, pp. 71–81 (2016)
Herbert, J., Litchfield, A.: A novel method for decentralised peer-to-peer software license validation using cryptocurrency blockchain technology. In: Proceedings of the 38th Australasian Computer Science Conference (ACSC 2015), vol. 27, pp. 27–25 (2015)
Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting in-flight page changes with web tripwires. In: NSDI, vol. 8, pp. 31–44 (2008)
Sghaier Omar, A., Basir, O.: Capability-based non-fungible tokens approach for a decentralized AAA framework in IoT. In: Choo, K.-K., Dehghantanha, A., Parizi, R.M. (eds.) Blockchain Cybersecurity, Trust and Privacy. AIS, vol. 79, pp. 7–31. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38181-3_2
Khalique, A., Singh, K., Sood, S.: Implementation of elliptic curve digital signature algorithm. Int. J. Comput. Appl. 2(2), 21–27 (2010)
Gutzmann, K.: Access control and session management in the HTTP environment. IEEE Internet Comput. 5(1), 26–35 (2001)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Shah, K., Khokhariya, U., Pancholi, N., Kumar, S., Parmar, K. (2022). Securing Cookies/Sessions Through Non-fungible Tokens. In: Rage, U.K., Goyal, V., Reddy, P.K. (eds) Database Systems for Advanced Applications. DASFAA 2022 International Workshops. DASFAA 2022. Lecture Notes in Computer Science, vol 13248. Springer, Cham. https://doi.org/10.1007/978-3-031-11217-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-11217-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-11216-4
Online ISBN: 978-3-031-11217-1
eBook Packages: Computer ScienceComputer Science (R0)