Previous [ 1] [ 2] [ 3] [ 4] [ 5] [ 6] [ 7] [ 8] [ 9] [ 10] [ 11] [ 12] [ 13] [ 14] [ 15]

@

Journal of Information Science and Engineering, Vol. 22 No. 3, pp. 559-571 (May 2006)

A New Design for a Practical Secure Cookies System*

Jong-Phil Yang and Kyung Hyune Rhee+
Department of Computer Science
+Division of Electronic, Computer and Telecommunication Engineering
Pukyong National University
Nam-gu, Busan, Korea

Because of the stateless character of HTTP, cookies were invented to maintain continuity and states on the Web. Cookies which have user-related information are transmitted and stored, so an attacker can easily copy and modify them for his own purpose. Therefore, cookies are exposed to serious security threats such as network threats, end-system threats, and cookie-harvesting threats. In this paper, we present a secure cookie system for solving these security weaknesses of typical web cookies. Since our system is based on the Public Key Infrastructure (PKI), it provides mutual authentication between clients and servers, and ensures the confidentiality and integrity of user information. We have implemented our secure cookie system and compare it here to the Secure Socket Layer (SSL) protocol that is widely used to provide the security in the HTTP environment.

Keywords: secure web service, security, authentication, cookies, public key infrastructure

Full Text () Retrieve PDF document (200605_06.pdf)

Received December 9, 2003; revised September 1 & November 23, 2004; accepted December 20, 2004.
Communicated by Ja-Ling Wu.
* The preliminary version of paper was presented in the 3rd International Conference in India (INDOCRYPT 2002), Hyderabad, India, Dec. 16-18, 2002.