Origin Cookies : Session Integrity for Web Applications

  title={Origin Cookies : Session Integrity for Web Applications},
  author={Andrew Bortz},
Virtually every web site on the Internet uses cookies to maintain session state between HTTP requests. Unfortunately, cookies have a serious design flaw which limits their security. In particular, cookies can not provide session integrity against an attacker who can host content on a related domain. This type of attacker is surprisingly common and problematic, yet existing proposals and best practices do not address this vulnerability. A lack of session integrity can result in session hijacking… CONTINUE READING
Highly Cited
This paper has 50 citations. REVIEW CITATIONS


Publications citing this paper.
Showing 1-10 of 26 extracted citations

Cookies Lack Integrity: Real-World Implications

USENIX Security Symposium • 2015
View 11 Excerpts
Highly Influenced

Large-Scale Analysis & Detection of Authentication Cross-Site Request Forgeries

2017 IEEE European Symposium on Security and Privacy (EuroS&P) • 2017
View 2 Excerpts

CSP adoption: current status and future prospects

Security and Communication Networks • 2016
View 1 Excerpt

fewer than 50 Citations

Citations per Year
Semantic Scholar estimates that this publication has 50 citations based on the available data.

See our FAQ for additional information.


Publications referenced by this paper.
Showing 1-10 of 16 references

A Continued Commitment to Security

A. Rice
2011. [Online]. Available: http://blog.facebook.com/blog.php?post=486790652130 • 2011
View 1 Excerpt

Identifying origin server of HTTP Cookies

Y. Pettersen
2011. [Online]. Available: http://tools.ietf.org/html/ draft-pettersen-cookie-origin-02 • 2011
View 2 Excerpts


E. Butler
2010. [Online]. Available: http://codebutler.com/ firesheep • 2010

The OAuth 1.0 Protocol

RFC • 2010
View 3 Excerpts

Cookie forcing

C. Evans
2008. [Online]. Available: http:// scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html • 2008
View 2 Excerpts

Making security easier

A. Rideout
2008. [Online]. Available: http://gmailblog.blogspot.com/2008/07/making-security-easier.html • 2008
View 1 Excerpt

Robust defenses for cross-site request forgery

ACM Conference on Computer and Communications Security • 2008
View 3 Excerpts