A browser cookie (“cookie”) is a small data element sent by a website to a computer for storage. The cookie is typically stored in a web browser used to access the website. When the computer accesses the website, the web browser sends all cookies related to the website back to a server hosting the website. Cookies typically store information about previous interactions between the computer and the website. This information is made available to the website when the cookies are sent to the server. Thus, cookies may be used to preserve an online session, track items in a virtual shopping cart, maintain user settings, and the like.
However, existing same-origin security policies for cookies are loose, and may make it possible to plant unsecured or malicious cookies in a web browser, which may pose a security risk. Cookies are thus a potential attack vector for hackers and other maliciously-intentioned individuals or groups. Many corporate networks have both public-facing services and a private intranet hosted on the same domain, which offers greater convenience for users and administrators, including single sign-on, but is particularly at risk of cookie-based attacks. A first kind of cookie-based attack is a cookie-injection attack, which may allow an attacker to send cookies to private intranet servers without needing access to the private intranet. A second kind of cookie-based attack is a cookie-replaying attack, which may allow an attacker to steal cookies set by websites on the private intranet and replay them to public-facing services hosted on the same domain.
Although part of the security risk can potentially be mitigated by using stricter transmission protocols or by using more complex cookies, these approaches typically require changes to existing systems and codebases. These approaches also may not be supported by all web browsers. Therefore, there is a need for solutions to help mitigate cookie-injection and cookie-replaying attacks without requiring massive changes to existing systems and codebases.