1. Field of the Invention
The invention relates generally to computer systems and the Internet, and more particularly to Internet security.
2. Description of the Related Art
Many web sites attempt to store information on a user's computer in a small file referred to as a cookie. Cookies provide for HTTP state management, by which a server may correlate multiple requests coming from the same client. Cookies may include sensitive and personal information, or the keys needed to get to a user's sensitive and personal information.
Because of their ability to store and exchange sensitive and personal information, cookie security has become a significant concern to individual users, software manufacturers and providers of Internet content. There are generally two types of cookies: session cookies and permanent cookies. Session cookies are temporary and exist only as long as the browser session is open. Session cookies do not get stored on a computer's hard disk, but are kept in memory. Permanent cookies are generally stored on a hard disk until a specified expiration time. The location of cookies differs with each browser, but cookie management is generally handled by a browser and the server.
One example of a relatively recent but common security problem is cross-site scripting. Cross-site scripting is a server-side vulnerability that enables malicious script (e.g., written by a hacker) to execute on a client machine in the domain of that vulnerable server. This may cause cookie information to be provided to an invalid domain, or to provide sensitive information as a result of a script extracting information to malicious websites. In general, cross-site scripting tricks a user into sending a malicious script to the server, and the server then returns the script as part of the server's returned content. When the content is interpreted, the script is executed in the security context of the server's domain.
Another example of a security concern with respect to cookie data are “replay attacks.” With this type of attack, the attacker captures the user's authentication cookie using monitoring software and replays it to the application to gain access under a false identity.
Hence, methods and systems which address security, predictability and performance concerns in the use of cookies in web applications are of great value.