1. Technical Field
This disclosure relates generally to web application security and, in particular, to a method and system for ensuring that a web browser presents a web application cookie only to trusted servers.
2. Background of the Related Art
HTTP cookies (see IETF RFC6265) provide a way of managing sessions and state between web browsers and web servers using the HTTP protocol. In a typical browser-server interaction, a Web application sets a cookie, and the cookie is returned to the browser to present with subsequent requests until the cookie is expired by the web application. Web applications leverage cookies for security purposes, such as authentication, and session control.
An unauthorized party in possession of a cookie may compromise a web application's security. Thus, it is desirable to provide techniques to protect cookies from misappropriation. A known approach in the art is to defend against a particular type of exploit by setting a particular type of “attribute” associated with the cookie that can be used to influence the browser's behavior. Thus, for example, one type of attribute is a “secure” attribute. When this attribute is set, the browser only presents the cookie over encrypted (SSL-secured) channels; this approach provides some degree of security for the cookie by ensuring that it is delivered over the wire only in encrypted form. Another type of attribute is the “domain” attribute. If a cookie's domain attribute is not set, the browser presents the cookie to the issuing server only. Using the domain attribute, the browser can be controlled so that it presents the cookie to a server that is presumably trusted. Yet another cookie attribute is an “http only” attribute. Setting a cookie's http-only attribute blocks client-side script access to a cookie, an approach which provides some protection against cross-site scripting (XSS) attacks.
While these approaches provide some security benefits, they do not always produce satisfactory results. Thus, for example, when the http-only attribute is set, XSS attacks may be minimized, but this approach has a significant downside because it blocks even a trusted site's access to the cookie by client-side scripts. Thus, use of cookie attributes for security often comes with a trade-off. Moreover, even when an attribute can be used to provide some protection, sophisticated attacks can defeat their usefulness. An example of this scenario is the domain attribute, which provides no protection in the event the domain name system itself is compromised, even if the secure attribute is set.
The disclosed subject matter addresses these and other deficiencies in the prior art.