{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T22:23:48Z","timestamp":1774995828680,"version":"3.50.1"},"reference-count":55,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2012,6,1]],"date-time":"2012-06-01T00:00:00Z","timestamp":1338508800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000144","name":"Division of Computer and Network Systems","doi-asserted-by":"publisher","award":["CNS-0916047"],"award-info":[{"award-number":["CNS-0916047"]}],"id":[{"id":"10.13039\/100000144","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Internet Technol."],"published-print":{"date-parts":[[2012,6]]},"abstract":"<jats:p>\n            HTTP cookies are the de facto mechanism for session authentication in Web applications. However, their inherent security weaknesses allow attacks against the integrity of Web sessions. HTTPS is often recommended to protect cookies, but deploying full HTTPS support can be challenging due to performance and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed in a variety of ways even when HTTPS is enabled. In this article, we propose\n            <jats:italic>one-time cookies<\/jats:italic>\n            (OTC), a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by signing each user request with a session secret securely stored in the browser. Unlike other proposed solutions, OTC does not require expensive state synchronization in the Web application, making it easily deployable in highly distributed systems. We implemented OTC as a plug-in for the popular WordPress platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies\u2014a negligible overhead for most Web applications. Moreover, we show that OTC can be combined with HTTPS to effectively add another layer of security to Web applications. In so doing, we demonstrate that one-time cookies can significantly improve the security of Web applications with minimal impact on performance and scalability.\n          <\/jats:p>","DOI":"10.1145\/2220352.2220353","type":"journal-article","created":{"date-parts":[[2012,7,13]],"date-time":"2012-07-13T23:07:36Z","timestamp":1342220856000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":71,"title":["One-time cookies"],"prefix":"10.1145","volume":"12","author":[{"given":"Italo","family":"Dacosta","sequence":"first","affiliation":[{"name":"Georgia Institute of Technology"}]},{"given":"Saurabh","family":"Chakradeo","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology"}]},{"given":"Mustaque","family":"Ahamad","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology"}]},{"given":"Patrick","family":"Traynor","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology"}]}],"member":"320","published-online":{"date-parts":[[2012,7,5]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315253"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/1367497.1367568"},{"key":"e_1_2_1_3_1","doi-asserted-by":"crossref","unstructured":"Barth A. 2011. RFC 6265. HTTP state management mechanism. https:\/\/tools.ietf.org\/html\/rfc6265.  Barth A. 2011. RFC 6265. HTTP state management mechanism. https:\/\/tools.ietf.org\/html\/rfc6265.","DOI":"10.17487\/rfc6265"},{"key":"e_1_2_1_4_1","unstructured":"Blanchet B. ProVerif: Cryptographic protocol verifier in the formal model. http:\/\/www.proverif.ens.fr\/.  Blanchet B. ProVerif: Cryptographic protocol verifier in the formal model. http:\/\/www.proverif.ens.fr\/."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.5555\/872752.873511"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SAINT.2005.5"},{"key":"e_1_2_1_7_1","volume-title":"Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP).","author":"Bortz A."},{"key":"e_1_2_1_8_1","unstructured":"BUDDYPRESS. BuddyPress.org. http:\/\/buddypress.org\/.  BUDDYPRESS. BuddyPress.org. http:\/\/buddypress.org\/."},{"key":"e_1_2_1_9_1","unstructured":"Butler E. Firesheep. http:\/\/codebutler.com\/firesheep.  Butler E. Firesheep. http:\/\/codebutler.com\/firesheep."},{"key":"e_1_2_1_10_1","unstructured":"Chan M. 2011. China and Google: A detailed look. http:\/\/blogs.aljazeera.net\/asia\/2011\/03\/23\/china-and-google-detailed-look.  Chan M. 2011. China and Google: A detailed look. http:\/\/blogs.aljazeera.net\/asia\/2011\/03\/23\/china-and-google-detailed-look."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.12"},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the International Conference on Computer Communications and Networks (ICCCN).","author":"Choi T."},{"key":"e_1_2_1_13_1","unstructured":"Close T. 1999. Waterken server: Capability-based security for the Web. http:\/\/waterken.sourceforge.net\/.  Close T. 1999. Waterken server: Capability-based security for the Web. http:\/\/waterken.sourceforge.net\/."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1124153.1124155"},{"key":"e_1_2_1_15_1","unstructured":"COMSCORE. 2011. Smartphones and tablets drive nearly 7 percent of total U.S. digital Traffic. http:\/\/www.comscore.com\/Press_Events\/Press_Releases\/2011\/10\/Smartphones_and_Tabets_Drive_Nearly _7_Percent_of_Total_U.S._Digital_Traffic.  COMSCORE. 2011. Smartphones and tablets drive nearly 7 percent of total U.S. digital Traffic. http:\/\/www.comscore.com\/Press_Events\/Press_Releases\/2011\/10\/Smartphones_and_Tabets_Drive_Nearly _7_Percent_of_Total_U.S._Digital_Traffic."},{"key":"e_1_2_1_16_1","unstructured":"Constantin L. 2010. XSS Attack on Twitter subdomain allowed for complete session hijacking. http:\/\/news.softpedia.com\/news\/XSS-Attack-on-Twitter-Subdomain-Allowed-Full-Session-Hijacking-148240.shtml.  Constantin L. 2010. XSS Attack on Twitter subdomain allowed for complete session hijacking. http:\/\/news.softpedia.com\/news\/XSS-Attack-on-Twitter-Subdomain-Allowed-Full-Session-Hijacking-148240.shtml."},{"key":"e_1_2_1_17_1","unstructured":"Cross T. 2009. Stealing cookies with SSL renegotiation. http:\/\/blogs.iss.net\/archive\/stealingcookieswiths. html.  Cross T. 2009. Stealing cookies with SSL renegotiation. http:\/\/blogs.iss.net\/archive\/stealingcookieswiths. html."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1983.1056650"},{"key":"e_1_2_1_19_1","unstructured":"Electronic Frontier Foundation. HTTPS everywhere. https:\/\/www.eff.org\/https-everywhere.  Electronic Frontier Foundation. HTTPS everywhere. https:\/\/www.eff.org\/https-everywhere."},{"key":"e_1_2_1_20_1","unstructured":"Elizabeth Woyke. 2011. Automatic Wi-Fi offloading coming to U.S. carriers. http:\/\/www.forbes.com\/sites\/elizabethwoyke\/2011\/04\/22\/automatic-wi-fi-offloading-coming-to-u-s-carriers\/.  Elizabeth Woyke. 2011. Automatic Wi-Fi offloading coming to U.S. carriers. http:\/\/www.forbes.com\/sites\/elizabethwoyke\/2011\/04\/22\/automatic-wi-fi-offloading-coming-to-u-s-carriers\/."},{"key":"e_1_2_1_21_1","unstructured":"Fielding R. T. 2000. Architectural styles and the design of network-based software architectures. Ph.D. dissertation University of California Irvine.   Fielding R. T. 2000. Architectural styles and the design of network-based software architectures. Ph.D. dissertation University of California Irvine."},{"key":"e_1_2_1_22_1","unstructured":"FIREBUG. Firebug: Web development evolved. https:\/\/getfirebug.com\/.  FIREBUG. Firebug: Web development evolved. https:\/\/getfirebug.com\/."},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Fu K."},{"key":"e_1_2_1_24_1","unstructured":"Galperin E. 2011. Microsoft shuts off HTTPS in Hotmail for over a dozen countries. https:\/\/www.eff.org\/deeplinks\/2011\/03\/microsoft-shuts-https-hotmail-over-dozen-countries.  Galperin E. 2011. Microsoft shuts off HTTPS in Hotmail for over a dozen countries. https:\/\/www.eff.org\/deeplinks\/2011\/03\/microsoft-shuts-https-hotmail-over-dozen-countries."},{"key":"e_1_2_1_25_1","unstructured":"Goodin D. 2009. Newfangled cookie attack steals\/poisons website creds. http:\/\/www.theregister.co.uk\/2009\/11\/04\/website_cookie_stealing\/print.html.  Goodin D. 2009. Newfangled cookie attack steals\/poisons website creds. http:\/\/www.theregister.co.uk\/2009\/11\/04\/website_cookie_stealing\/print.html."},{"key":"e_1_2_1_26_1","unstructured":"Goodin D. 2010. Hotmail always-on crypto breaks Microsoft's own apps. http:\/\/www.theregister.co.uk\/2010\/11\/10\/lame_hotmail_encryption\/.  Goodin D. 2010. Hotmail always-on crypto breaks Microsoft's own apps. http:\/\/www.theregister.co.uk\/2010\/11\/10\/lame_hotmail_encryption\/."},{"key":"e_1_2_1_27_1","unstructured":"Graham R. 2007. SideJacking with Hamster. http:\/\/erratasec.blogspot.com\/2007\/08\/sidejacking-with-hamster_05.html.  Graham R. 2007. SideJacking with Hamster. http:\/\/erratasec.blogspot.com\/2007\/08\/sidejacking-with-hamster_05.html."},{"key":"e_1_2_1_28_1","unstructured":"Grossman J. 2003. Cross-site tracing (XST). http:\/\/www.cgisecurity.com\/whitehatmirror\/WhitePaper screen.pdf.  Grossman J. 2003. Cross-site tracing (XST). http:\/\/www.cgisecurity.com\/whitehatmirror\/WhitePaper screen.pdf."},{"key":"e_1_2_1_29_1","unstructured":"Hodges J. Jackson C. and Barth A. 2010. HTTP strict transport security (HSTS). http:\/\/tools.ietf.org\/html\/draft-hodges-strict-transport-sec-02.  Hodges J. Jackson C. and Barth A. 2010. HTTP strict transport security (HSTS). http:\/\/tools.ietf.org\/html\/draft-hodges-strict-transport-sec-02."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/1367497.1367569"},{"key":"e_1_2_1_31_1","unstructured":"Jehiah. 2006. XSS - Stealing cookies 101. http:\/\/jehiah.cz\/a\/xss-stealing-cookies-101.  Jehiah. 2006. XSS - Stealing cookies 101. http:\/\/jehiah.cz\/a\/xss-stealing-cookies-101."},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.8"},{"key":"e_1_2_1_33_1","unstructured":"Koch A. 2011. DroidSheep. http:\/\/droidsheep.de\/.  Koch A. 2011. DroidSheep. http:\/\/droidsheep.de\/."},{"key":"e_1_2_1_34_1","unstructured":"Kolsek M. 2007. Session fixation vulnerability in Web-based applications. http:\/\/www.acrossecurity.com\/papers\/session_fixation.pdf.  Kolsek M. 2007. Session fixation vulnerability in Web-based applications. http:\/\/www.acrossecurity.com\/papers\/session_fixation.pdf."},{"key":"e_1_2_1_35_1","doi-asserted-by":"crossref","unstructured":"Kristol D. and Montulli L. 1997. RFC 2109 - HTTP state management mechanism. http:\/\/tools.ietf.org\/html\/rfc2109.   Kristol D. and Montulli L. 1997. RFC 2109 - HTTP state management mechanism. http:\/\/tools.ietf.org\/html\/rfc2109.","DOI":"10.17487\/rfc2109"},{"key":"e_1_2_1_36_1","doi-asserted-by":"crossref","unstructured":"Kristol D. and Montulli L. 2000. RFC 2965 - HTTP state management mechanism.   Kristol D. and Montulli L. 2000. RFC 2965 - HTTP state management mechanism.","DOI":"10.17487\/rfc2965"},{"key":"e_1_2_1_37_1","unstructured":"Leyden J. 2011. AmEx \u201cdebug mode left site wide open \u201d says hacker. http:\/\/www.theregister.co.uk\/.2011\/10\/07\/amex_website_security_snafu\/print.html.  Leyden J. 2011. AmEx \u201cdebug mode left site wide open \u201d says hacker. http:\/\/www.theregister.co.uk\/.2011\/10\/07\/amex_website_security_snafu\/print.html."},{"key":"e_1_2_1_38_1","volume-title":"Proceedings of the International Conference on Computer Communications and Networks (ICCCN).","author":"Liu A."},{"key":"e_1_2_1_39_1","unstructured":"Mitchell S. 2004. Understanding ASP.NET view state. http:\/\/msdn.microsoft.com\/en-us\/library\/ms 972976.aspx.  Mitchell S. 2004. Understanding ASP.NET view state. http:\/\/msdn.microsoft.com\/en-us\/library\/ms 972976.aspx."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/306225.306235"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.17487\/rfc4226"},{"key":"e_1_2_1_42_1","doi-asserted-by":"crossref","unstructured":"Neuman C. Yu T. Hartman S. and Raeburn K. 2005. RFC 4120 - The Kerberos network authentication service (V5). http:\/\/tools.ietf.org\/html\/rfc4120.  Neuman C. Yu T. Hartman S. and Raeburn K. 2005. RFC 4120 - The Kerberos network authentication service (V5). http:\/\/tools.ietf.org\/html\/rfc4120.","DOI":"10.17487\/rfc4120"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/4236.865085"},{"key":"e_1_2_1_44_1","unstructured":"Ponurkiewicz B. 2011. FaceNiff. http:\/\/faceniff.ponury.net\/.  Ponurkiewicz B. 2011. FaceNiff. http:\/\/faceniff.ponury.net\/."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2010.190"},{"key":"e_1_2_1_46_1","unstructured":"Prince B. 2010. Google moves encrypted Web search. http:\/\/www.eweek.com\/c\/a\/Security\/Google-Moves-Encrypted-Web-Search-668624\/.  Prince B. 2010. Google moves encrypted Web search. http:\/\/www.eweek.com\/c\/a\/Security\/Google-Moves-Encrypted-Web-Search-668624\/."},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the USENIX Symposium on Network Systems Design and Implementation (NSDI).","author":"Reis C."},{"key":"e_1_2_1_48_1","unstructured":"Rodriguez A. 2008. RESTful Web services: The basics. https:\/\/www.ibm.com\/developerworks\/webservices\/library\/ws-restful\/.  Rodriguez A. 2008. RESTful Web services: The basics. https:\/\/www.ibm.com\/developerworks\/webservices\/library\/ws-restful\/."},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.35"},{"key":"e_1_2_1_50_1","unstructured":"Schneier B. 2011. Man-in-the-middle attack against SSL 3.0\/TLS 1.0. https:\/\/www.schneier.com\/blog\/archives\/2011\/09\/man-in-the-midd_4.html.  Schneier B. 2011. Man-in-the-middle attack against SSL 3.0\/TLS 1.0. https:\/\/www.schneier.com\/blog\/archives\/2011\/09\/man-in-the-midd_4.html."},{"key":"e_1_2_1_51_1","unstructured":"Siegler M. 2010. China syndrome: Gmail now defaults to encrypted access. http:\/\/techcrunch.com\/2010\/01\/13\/china-hacking-gmail-secure\/.the open web application security project (OWASP). 2010. OWASP Top Ten Project. http:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project.  Siegler M. 2010. China syndrome: Gmail now defaults to encrypted access. http:\/\/techcrunch.com\/2010\/01\/13\/china-hacking-gmail-secure\/.the open web application security project (OWASP). 2010. OWASP Top Ten Project. http:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project."},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2010.114"},{"key":"e_1_2_1_53_1","unstructured":"WORDPRESS. WordPress: Blog tool publishing platform and CMS. http:\/\/wordpress.org\/.  WORDPRESS. WordPress: Blog tool publishing platform and CMS. http:\/\/wordpress.org\/."},{"key":"e_1_2_1_54_1","unstructured":"Zalewski M. 2008. Browser Security Handbook. http:\/\/code.google.com\/p\/browsersec\/wiki\/Part2.  Zalewski M. 2008. Browser Security Handbook. http:\/\/code.google.com\/p\/browsersec\/wiki\/Part2."},{"key":"e_1_2_1_55_1","unstructured":"Zhou Y. and Evans D. 2010. Why aren't HTTP-only cookies more widely deployed&quest; In Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP).  Zhou Y. and Evans D. 2010. Why aren't HTTP-only cookies more widely deployed&quest; In Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP)."}],"container-title":["ACM Transactions on Internet Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2220352.2220353","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2220352.2220353","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T20:00:46Z","timestamp":1750276846000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2220352.2220353"}},"subtitle":["Preventing session hijacking attacks with stateless authentication tokens"],"short-title":[],"issued":{"date-parts":[[2012,6]]},"references-count":55,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2012,6]]}},"alternative-id":["10.1145\/2220352.2220353"],"URL":"https:\/\/doi.org\/10.1145\/2220352.2220353","relation":{},"ISSN":["1533-5399","1557-6051"],"issn-type":[{"value":"1533-5399","type":"print"},{"value":"1557-6051","type":"electronic"}],"subject":[],"published":{"date-parts":[[2012,6]]},"assertion":[{"value":"2012-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2012-04-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2012-07-05","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}