A secure cookie protocol

Cookies are the primary means for Web applications to authenticate HTTP requests and to maintain client states. Many Web applications (such as electronic commerce) demand a secure cookie protocol. Such a protocol needs to provide the following four services: authentication, confidentiality, integrity and antireplay. Several secure cookie protocols have been proposed in previous literature; however, none of them are completely satisfactory. In this paper, we propose a secure cookie protocol that is effective, efficient, and easy to deploy. In terms of effectiveness, our protocol provides all of the above four security services. In terms of efficiency, our protocol does not involve any database lookup or public key cryptography. In terms of deployability, our protocol can be easily deployed on an existing Web server, and it does not require any change to the Internet cookie specification. We implemented our secure cookie protocol using PHP, and the experimental results show that our protocol is very efficient.