When a user browses to a website, the website can return data, known as a cookie, that is stored on the user's computer, and then sent back to the server when the user later browses to the same website. The cookie can be used by the website to establish a state associated with the user. For example, with a website through which a user can make purchases, a cookie may be used to maintain a list of items that are in the user's shopping cart. For example, a user may visit the website, add things to their shopping cart, and leave the website. When the user returns to the website, the previously added items are still in the user's shopping cart, based on data stored in a cookie. Because cookies may contain sensitive and/or personal data (e.g., data for providing access to a bank account), it is important that cookies be protected. Cookies are typically signed and/or encrypted to protect the data. Furthermore, to increase security, keys that are used to sign and/or encrypt cookies should be securely stored and frequently changed.
Many websites are implemented using a server farm environment, in which the load is balanced across multiple, independent server systems. When a user accesses a particular website that is available via the server farm, the user may actually be accessing any of the server systems that are part of the server farm. Accordingly, for cookies to be effective, each server system should be able to receive and use a cookie from a user, even if the server that receives the cookie is not the server that generated the cookie. To accomplish this, secure, frequently changed keys that can be used to decrypt and/or verify received cookies should be available across multiple, independent server systems.
Accordingly, a need exists for a technique for automatically making symmetric keys accessible to multiple, independent server systems.