Method and system for improved internet security via HTTP-only cookies
US7359976B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Nov 23, 2002 |
| Grant date | Apr 15, 2008 |
| Priority date | — |
| Expiry date | Aug 22, 2026 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L69/329
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
A system and method that prevents certain cookies, as specified by an Internet server, from being accessed through client-side script, thereby mitigating the amount of damage that cross-site scripting attacks can accomplish. The server marks selected cookies with an attribute that flags such cookies as being protected, and a security mechanism in the client prevents protected cookies from being accessed via script. A protected (flagged) cookie can still be accessed by the server, (e.g., via HTTP), while non-flagged cookies can be accessed by the server or script. An API or similar layer implements the security mechanism that checks for the attribute, and fails requests for any cookies having that attribute set. The present invention can also be adapted to prevent a malicious script from overwriting existing HTTP-only cookies on a client machine.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.