Efficient Cookie Revocation for Web Authentication

Many web-based services use persistent cookies to store user authentication information on the disk. In these services, when a web browser connects to the server, it sends the persistent cookies to automate the authentication process so that the user does not need to type in the username or password. However, current web authentication architecture does not have a proper expiration mechanism. As a consequence, a hacker can use an expired cookie to gain unauthorized access to the web services. To fix this problem, we propose two schemes for the web servers to efficiently store and verify cookie state information. We show that these schemes can effectively stop the replay-attack from expired cookies and can be easily implemented.