A cookie, for instance an HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Cookie classically consists of six components: name of the cookie, value of the cookie, expiry of the cookie (using Greenwich Mean Time), path the cookie is good for, domain the cookie is good for, need for a secure connection to use the cookie but only the first two components (name and value) are required for the successful operation of the cookie.
Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's previous activity. Cookies also enable websites to remember information. Authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in under. Without such a mechanism, the site would not know whether to send a page containing sensitive information, or require the user to authenticate themselves by logging in. The security of an authentication cookie generally depends on the security of the issuing website and the user's web browser, and on whether the cookie data is encrypted.
Security vulnerabilities may allow a cookie's data to be read by a hacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the cookie belongs (cross-site scripting and cross-site request forgery).
Most websites use cookies as the only identifiers for user sessions, because other methods of identifying web users have limitations and vulnerabilities. If a website uses cookies as session identifiers, attackers can impersonate users' requests by stealing a full set of victims' cookies. From the web server's point of view, a request from an attacker then has the same authentication as the victim's requests; thus the request is performed on behalf of the victim's session.
The field of this invention is typically related to HTTP client security, solving vulnerability at the browser level. More widely, the invention can be applied to any network using cookies defined by a name and a value sent by a server and stored by a client. Classical protection methods against cookie stealing are not efficient against cookie-stealing or cookie-tossing attacks. Service can also be denied for a user by overriding the current cookie with a bad/fake one.
Although a lot of protections are supposed to prevent an evil usage of a stolen cookie, it is still possible to lure the server with a cookie which will be accepted due to the fact that cookie names are public, thus predictable.
Further alternative and advantageous solutions would, accordingly, be desirable in the art.