Enhancing the Security of Cookies

摘要

Cookies are pieces of information generated by a Web server to be stored in a user's machine. The information in cookies can range from selected items in a user's shopping cart to authentication information used for accessing restricted pages. While cookies are clearly very useful, they can also be abused. In this paper, security threats that cookies can pose to a user are identified, as are the security requirements necessary to defeat them. Various options to meet the security requirements are then examined. Proposed user-controlled approaches and their implementations are presented and compared with a server-controlled approach, particularly the 'Secure Cookies' method, to illustrate the relative advantages and disadvantages of the two approaches.