Elsevier

Computer Networks

Volume 56, Issue 6, 19 April 2012, Pages 1723-1730
Computer Networks

A secure cookie scheme

https://doi.org/10.1016/j.comnet.2012.01.013Get rights and content

Abstract

Cookies are the primary means for web applications to authenticate HTTP requests and to maintain client states. Many web applications (such as those for electronic commerce) demand a secure cookie scheme. Such a scheme needs to provide the following four services: authentication, confidentiality, integrity, and anti-replay. Several secure cookie schemes have been proposed in previous literature; however, none of them are completely satisfactory. In this paper, we propose a secure cookie scheme that is effective, efficient, and easy to deploy. In terms of effectiveness, our scheme provides all of the above four security services. In terms of efficiency, our scheme does not involve any database lookup or public key cryptography. In terms of deployability, our scheme can be easily deployed on existing web services, and it does not require any change to the Internet cookie specification. We implemented our secure cookie scheme using PHP and conducted experiments. The experimental results show that our scheme is very efficient on both the client side and the server side.

A notable adoption of our scheme in industry is that our cookie scheme has been used by Wordpress since version 2.4. Wordpress is a widely used open source content management system.

Introduction

The widely used HTTP (Hypertext Transfer Protocol) works in a request-response fashion. First, a client sends a request (which either asks for a file or invokes a program) to a server. Second, the server processes the request and sends back a response to the client. After this, the connection between the client and the server is dropped and forgotten. HTTP is stateless in that an HTTP server treats each request independently of any previous requests. However, many web applications built on top of HTTP need to be stateful. For example, most online shopping applications need to keep track of the shopping carts of their clients.

Web applications often use cookies to maintain state. A cookie is a piece of information that records the state of a client. When a server needs to remember some state information for a client, the server creates a cookie that contains the state information and sends the cookie to the client. The client then stores the cookie either in memory or on a hard disk. The client later attaches the cookie to every subsequent request to the server.

Many web applications (such as electronic commerce) demand a secure cookie scheme. A secure cookie scheme that runs between a client and a server needs to provide the following four services: authentication, confidentiality, integrity, and anti-replay.

  • 1.

    Authentication: A secure cookie scheme should allow the server to verify that the client has been authenticated within a certain time period. Moreover, no client should be able to forge a valid cookie.

    In secure web applications, a typical session between a client and a server consists of two phases. The first phase is called the login phase and the second phase is called the subsequent-requests phase.

    • (a)

      Login phase: In this phase, the client and the server mutually authenticate each other. On one hand, the client authenticates the server using the server’s PKI (Public Key Infrastructure) Certificate after they establish an SSL (Secure Sockets Layer) connection. On the other hand, the server authenticates the client using the client’s user name and password, and sends a secure cookie (which is also called an ”authentication token” or an ”authenticator” in previous literature) to the client.

    • (b)

      Subsequent-requests phase: In this phase, the client sends the secure cookie along with every request to the server; the server verifies whether the cookie is valid, and if it is, services the request.

  • 2.

    Confidentiality: The contents of a secure cookie is intended only for the server to read. There are two levels of confidentiality that a secure cookie scheme may provide: low-level confidentiality and high-level confidentiality.

    • (a)

      Low-level confidentiality: A secure cookie scheme with low-level confidentiality prevents any parties except the server and the client from reading the contents of a cookie. To achieve low-level confidentiality, a secure cookie scheme usually runs on top of SSL. Note that SSL encrypts every message between the client and the server using a session key that only the client and the server know. In this paper, we assume that any secure cookie scheme runs on top of SSL.

    • (b)

      High-level confidentiality: A secure cookie scheme with high-level confidentiality prevents any parties except the server from reading the sensitive information within a cookie that the server does not want to reveal to the client [10]. For example, the cookie’s contents may contain some client information such as their internal rating or credit score, which the server may not want the client to be aware of.

    Different web applications may require different levels of confidentiality. Therefore, a secure cookie scheme should be able to configured to support both low-level confidentiality and high-level confidentiality.

  • 3.

    Integrity: A secure cookie scheme should allow a server to detect whether a cookie has been modified.

  • 4.

    Anti-replay: In the case that an attacker replays a stolen cookie, a secure cookie scheme should be able to detect that the cookie is invalid. Otherwise, the attacker would be authenticated as the client that the replayed cookie was issued to.

In designing a secure cookie scheme, besides the above security requirements, we also need to consider the issues of efficiency and deployability. As for efficiency concerns, a secure cookie scheme should avoid requiring a server to do database lookups in verifying a cookie, and should avoid public key cryptography. Note that database lookups dramatically slow down the speed that a server takes to verify a cookie. As for deployability concerns, a secure cookie scheme should avoid requiring a client to possess a public key and a private key, which is currently impractical to assume.

Several cookie schemes have been proposed [5], [10], [16], [3]; however, none of these schemes are completely satisfactory. The cookie scheme proposed by Fu et al., has three limitations: (1) it does not have a mechanism for providing high-level confidentiality, (2) it is vulnerable to cookie replay attacks, and (3) it does not provide mechanisms for key updating. The three authentication mechanisms of the cookie scheme proposed by Park and Sandhu are either ineffective or difficult to deploy [10]. The cookie scheme by Blundo et al. [3] and that proposed by Xu et al. [16] are inefficient because they require database lookups in verifying a cookie.

In this paper, we propose a secure cookie scheme that is effective, efficient, and easy to deploy. In terms of effectiveness, our secure cookie scheme provides all of the above four security services. In terms of efficiency, our secure cookie scheme does not involve any database lookup or public key cryptography. In terms of deployability, our secure cookie scheme can be easily deployed on existing web servers, and it does not require any change to the current Internet cookie specification [7].

The rest of this paper proceeds as follows. In Section 2, we present our secure cookie scheme in detail. In Section 4, we discuss the implementation of our secure cookie scheme and its performance. In Section 5, we review and examine existing cookie schemes. We give concluding remarks in Section 6.

Section snippets

Secure cookie scheme

The state-of-the-art secure cookie schemes was described by Fu et al. in their seminal paper [5]. In this section, we first examine this scheme, which we refer as Fu’s cookie scheme. We show that this scheme has three major limitations, and we give a solution to each of them. Finally, we present our secure cookie scheme. The notations used in this section are listed in the following table.

    |

    Separator

    HMAC(m,k)

    Keyed-Hash Message Authentication Code of message m using key k

    sk

    Server Key

    (m)k

Wordpress usage

Our secure cookie protocol has been used by Wordpress since version 2.4 [12]. Wordpress is a widely used open source content management system [15]. It is the largest self-hosted blogging tool in the world and it has been used on millions of sites and seen by tens of millions of people every day. Since version 2.4, Wordpress adopted our cookie scheme as follows:

Wordpress made two modifications to our secure cookie scheme. First, Wordpress eliminates data in their cookie scheme. This is because

Implementation and performance evaluation

In this section, we discuss the implementation and performance evaluation of our secure cookie scheme.

Related work

In this section, we examine previous secure cookie schemes and compare them with our secure cookie scheme.

Fu et al. investigated several home-brew cookie schemes and demonstrated their vulnerabilities, leading to Fu’s more secure cookie scheme [5]. As discussed in Section 2, Fu’s cookie scheme has three major limitations. First, it does not have a mechanism for providing high-level confidentiality. Second, it is vulnerable to cookie replay attacks. Third, it does not provide mechanisms for key

Conclusions

Our contributions in this paper are threefold. First, we discover that the state-of-the-art cookie scheme by Fu et al. has the following three major problems: it does not have a mechanism for providing high-level confidentiality, it is vulnerable to cookie replay attacks, and it does not provide convenient mechanisms for key updating. Second, we present a solution to each of these problems and we present a new secure cookie scheme. Third, we conduct performance evaluation of our secure cookie

Acknowledgement

The authors thank the editor Dr. Marco Gruteser and the anonymous reviewers for their constructive comments and useful suggestions on improving the presentation of this work. The authors also would like to thank Jeremy Brotherton and Kiyoshi Shikuma for suggesting to replace the SSL session key by the SSL session ID in our cookie scheme.

Alex X. Liu received his Ph.D. degree in computer science from the University of Texas at Austin in 2006. He is currently an assistant professor in the Department of Computer Science and Engineering at Michigan State University. He received the IEEE and IFIP William C. Carter Award in 2004 and an NSF CAREER award in 2009. He received the MSU College of Engineering Withrow Distinguished Scholar Award in 2011. His research interests focus on networking, security, and dependable systems.

References (17)

  • D. Akhawe, A. Barth, P.E. Lam, J. Mitchell, D. Song, Towards a formal foundation of web security, in: Proceedings of...
  • M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in: Proceedings of CRYPTO’96,...
  • C. Blundo, S. Cimato, R.D. Prisco, A lightweight approach to authenticated web caching, in: Proceedings of IEEE 2005...
  • D. Eastlake, P. Jones, Us secure hash Algorithm 1 (sha1), RFC 3174...
  • K. Fu, E. Sit, K. Smith, and N. Feamster, Dos and don’ts of client authentication on the web. In Proceedings of the...
  • H. Krawczyk, M. Bellare, and R. Canetti, Hmac: Keyed-hashing for message authentication, RFC 2104...
  • D. Kristol and L. Montulli, Http state management mechanism, RFC 2965...
  • A.X. Liu, J.M. Kovacs, C.-T. Huang, and M.G. Gouda, A secure cookie protocol, in: Proceedings of the 14th IEEE...
There are more references available in the full text version of this article.

Cited by (0)

Alex X. Liu received his Ph.D. degree in computer science from the University of Texas at Austin in 2006. He is currently an assistant professor in the Department of Computer Science and Engineering at Michigan State University. He received the IEEE and IFIP William C. Carter Award in 2004 and an NSF CAREER award in 2009. He received the MSU College of Engineering Withrow Distinguished Scholar Award in 2011. His research interests focus on networking, security, and dependable systems.

Jason M. Kovacs received his B.S. degree in computer science from the University of Texas at Austin in 2005. He is a professional web developer with many years of experience on creating robust back-end web applications, databases and user interfaces for businesses and organizations. He is also experienced in systems architecture within multiple industries, including manufacturing, insurance, education, media and social networking.

Mohamed G. Gouda obtained his Ph.D. in Computer Science from the University of Waterloo. He worked for the Honeywell Corporate Technology Center in Minneapolis from 1977 to 1980. In 1980, he joined the University of Texas at Austin where he currently holds the Mike A. Myers Centennial Professorship in Computer Sciences. He was the founding Editor-in-Chief of the Springer-Verlag journal Distributed Computing 1985–1989. His research areas are distributed and concurrent computing and network schemes.

3

www.exisweb.com.

1

The work of Jason M. Kovacs was conducted while he was an undergraduate student of The University of Texas at Austin.

2

Mohamed G. Gouda is currently a Program Manager at the National Science Foundation.

View full text