1. Field
Various features pertain to deployment of conditional use cookies to communicate information between a client browser/device to a host web server.
2. Background
Hypertext Transfer Protocol (HTTP) is a stateless protocol used to request and deliver web pages over a network. Oftentimes, applications deployed over the network (i.e., web applications) use cookies to keep track of states, where the web server sets an application state in the cookie and provides the cookie to the client (e.g., a client browser on a client device). Cookies may include login and/or authentication information, identification of a user session, user's preferences, tracking browsing activities, shopping cart contents, or anything else that may be accomplished through storing text data on the user's computer. The client can use a cookie in a (subsequent) request to the web server to alert the web server to the current state of the application or web page at the client side. The cookie may be signed by the web server prior to delivery for authentication purposes.
A security risk exists in cross-domain requests, where a web page delivered by the web server may include links or references to other servers. Upon receiving the web page, the client browser may also request the cross linked content from the other servers. However, such cross linked content may include instructions and/or operations that cause the client to perform an unexpected or unwanted action (e.g., logout or password change).
FIG. 1 is a block diagram illustrating a cross-site request forging attack. As illustrated in FIG. 1, a first web server (victim) 104 may provide a client device 102 (i.e., a web browser operating on a user computer) with a web page and associated cookies 108. Such web page may include links 110 to content in the second web server 106 (attacker). Here, the second web server 106 may respond with web content 112 that triggers some action by the first web server 104. For example, the web content 112 sent by the second web server 106 may be a password change, which prompts the client device 102 to forward such cross-site request to the first web server 104 along with all of its cookies 114 for that web page. Consequently, the content 112 received from the second web server 106 by the client device 102 may cause the client device 102 to request the first web server 104 perform a password change for the client device 102 (e.g., user of the client device), even though the client device 102 did not actually desire such password change.
This attack, known as a cross-site request forgery (also known as a one-click attack or session riding) and abbreviated as CSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a client (e.g., user of client device 102) that the website (first web server 104) trusts.
Several things have to happen for cross-site request forgery to succeed:                1. The attacker targets either a site that doesn't check the referrer header (which is common) or a victim with a browser or plugin bug that allows referrer spoofing (which is rare).        2. The attacker finds a form submission at the target site, or a Uniform Resource Locator (URL) that has side effects, that does something (e.g., transfers money, or changes the victim's e-mail address or password).        3. The attacker determines the right values for all the form's or URL's inputs for the target site; if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will fail.        4. The attacker lures the victim to a web page with malicious code while the victim is logged in to the target site.        
Individual web users using unmodified versions of the most popular web browsers can do relatively little to prevent cross-site request forgery. Logging out of websites and avoiding their “remember me” features can mitigate CSRF risk; not displaying external images or not clicking links in spam or untrusted e-mails may also help.
Web browser extensions such as RequestPolicy (e.g., for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites.
Therefore, it would be beneficial to provide a security mechanism that allows legitimate cross-site requests to operate while inhibiting cross-site request forgery.