A Secure-Cookie Recipe for Electronic Transactions

Since there is no concept of a session in HTTP, Web servers and browsers use cookies to capture information for subsequent communications on the Web, thus providing continuity and state across HTTP connections. Technically, cookies can be used to support electronic transactions on the Web, holding users' credit card information. However, it is insecure to store and transmit sensitive information in cookies, because cookies are stored and transmitted in clear text, which is readable and easily forged. In this paper, we describe a recipe of secure cookies for electronic transactions on the Web. A user's credit card information is contained in a set of secure cookies and transmitted to the corresponding Web servers. Therefore, these servers can trust the credit card information in the cookies after cookie-veri cation procedures and use it for electronic transactions. The technology is transparent to users and applicable to existing Web servers and browsers.