Secure HTTP Cookies

Some people love them and some people hate them, but HTTP cookies are really darn useful. Cookies are the way web sites remember who you, avoiding the need to enter and re-enter your password from day to day. Cookies can also store information, such as user preferences on a given computer.

Facebook, blogs, and many other public web sites use cookies. They can be misused, of course, such as by advertisers who track your movement around the Internet. However, most uses of cookies are not so invasive. But, there is a big problem with cookies: they’re entirely insecure.

Cookies might be encrypted by the server, so certain information in the cookie might be secure. However, when cookies are used to maintain a user’s logged in state, the user is at risk of having his or her session stolen. This happened recently with Facebook, in fact. However, what if a hacker is able to grab a user’s session and post malicious content or delete photos or do other destructive acts in the name of the user? This is scary.

What solutions exist? Presently, the only solution is to use HTTPS. HTTPS will encrypt all traffic to and from the client. Unfortunately, HTTPS comes with a high price: encrypting and decrypting every single bit of data between the browser and server is expensive.

So, a colleague and I thought about a better approach and we came up with a proposal for just encrypting a part of the cookie information passed between the client and server. Have a look and tell me what you think. The draft can be found here.