{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T12:12:09Z","timestamp":1763467929485,"version":"3.41.0"},"reference-count":62,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2009,6,1]],"date-time":"2009-06-01T00:00:00Z","timestamp":1243814400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Web"],"published-print":{"date-parts":[[2009,6]]},"abstract":"<jats:p>The results of an extensive investigation of cookie deployment amongst 100,000 Internet sites are presented. Cookie deployment is found to be approaching universal levels and hence there exists an associated need for relevant Web and software engineering processes, specifically testing strategies which actively consider cookies. The semi-automated investigation demonstrates that over two-thirds of the sites studied deploy cookies. The investigation specifically examines the use of first-party, third-party, sessional, and persistent cookies within Web-based applications, identifying the presence of a P3P policy and dynamic Web technologies as major predictors of cookie usage. The results are juxtaposed with the lack of testing strategies present in the literature. A number of real-world examples, including two case studies are presented, further accentuating the need for comprehensive testing strategies for Web-based applications. The use of antirandom test case generation is explored with respect to the testing issues discussed. Finally, a number of seeding vectors are presented, providing a basis for testing cookies within Web-based applications.<\/jats:p>","DOI":"10.1145\/1541822.1541824","type":"journal-article","created":{"date-parts":[[2009,6,30]],"date-time":"2009-06-30T13:10:17Z","timestamp":1246367417000},"page":"1-49","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":16,"title":["Cookies"],"prefix":"10.1145","volume":"3","author":[{"given":"Andrew F.","family":"Tappenden","sequence":"first","affiliation":[{"name":"University of Alberta, Canada"}]},{"given":"James","family":"Miller","sequence":"additional","affiliation":[{"name":"University of Alberta, Canada"}]}],"member":"320","published-online":{"date-parts":[[2009,7,3]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"]]Alexa Internet Inc. 2006a. About the Alexa traffic rankings. http:\/\/www.alexa.com\/site\/devcorner\/top_sites.  ]]Alexa Internet Inc. 2006a. About the Alexa traffic rankings. http:\/\/www.alexa.com\/site\/devcorner\/top_sites."},{"key":"e_1_2_1_2_1","unstructured":"]]Alexa Internet Inc. 2006b. Alexa top site service. http:\/\/www.alexa.com\/site\/devcorner\/top_sites.  ]]Alexa Internet Inc. 2006b. Alexa top site service. http:\/\/www.alexa.com\/site\/devcorner\/top_sites."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/967900.968236"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10270-004-0077-7"},{"key":"e_1_2_1_5_1","unstructured":"]]Auger R. Currudo C. Huseby S. H. Newman A. C. Pompon R. Groves D. and Ristic I. 2005. Web security glossary. Web Application Security Consortium. http:\/\/www.webappsec.org\/projects\/glossary\/.  ]]Auger R. Currudo C. Huseby S. H. Newman A. C. Pompon R. Groves D. and Ristic I. 2005. Web security glossary. Web Application Security Consortium. http:\/\/www.webappsec.org\/projects\/glossary\/."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1066677.1067060"},{"key":"e_1_2_1_7_1","unstructured":"]]BlackHawk. 2007. RevokeBB blind SQL injection\/hash extractor. Neohapsis. http:\/\/archives.neohapsis.com\/archives\/bugtraq\/2007-06\/0014.html.  ]]BlackHawk. 2007. RevokeBB blind SQL injection\/hash extractor. Neohapsis. http:\/\/archives.neohapsis.com\/archives\/bugtraq\/2007-06\/0014.html."},{"key":"e_1_2_1_8_1","unstructured":"]]CBS News. 2002. CIA caught sneaking cookies. CBS Worldwide Inc. http:\/\/www.cbsnews.com\/stories\/2002\/03\/20\/tech\/printable504131.shtml.  ]]CBS News. 2002. CIA caught sneaking cookies. CBS Worldwide Inc. http:\/\/www.cbsnews.com\/stories\/2002\/03\/20\/tech\/printable504131.shtml."},{"key":"e_1_2_1_9_1","unstructured":"]]CGISecurity.com. 2002. The cross site scripting FAQ. http:\/\/www.cgisecurity.com\/articles\/xss-faq.shtml.  ]]CGISecurity.com. 2002. The cross site scripting FAQ. http:\/\/www.cgisecurity.com\/articles\/xss-faq.shtml."},{"key":"e_1_2_1_10_1","unstructured":"]]ComScore Inc. 2007a. ComScore releases March U.S. search engine rankings. http:\/\/www.comscore.com\/press\/release.asp?id=1397.  ]]ComScore Inc. 2007a. ComScore releases March U.S. search engine rankings. http:\/\/www.comscore.com\/press\/release.asp?id=1397."},{"key":"e_1_2_1_11_1","unstructured":"]]ComScore Inc. 2007b. Cookie-Based counting overstates size of Web site audiencces. http:\/\/www.comscore.com\/press\/release.asp?press=1389.  ]]ComScore Inc. 2007b. Cookie-Based counting overstates size of Web site audiencces. http:\/\/www.comscore.com\/press\/release.asp?press=1389."},{"key":"e_1_2_1_12_1","unstructured":"]]Cook S. 2003. A Web developers guide to cross-site scripting. The SANS Institute. http:\/\/www.sans.org\/reading_room\/whitepapers\/securecode\/988.php.  ]]Cook S. 2003. A Web developers guide to cross-site scripting. The SANS Institute. http:\/\/www.sans.org\/reading_room\/whitepapers\/securecode\/988.php."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/876882.879747"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2005.36"},{"key":"e_1_2_1_15_1","unstructured":"]]Fogie S. 2006. XSS cookies and session ID authentication: Three ingredients for a successful hack. Pearson Education Inc. http:\/\/www.informit.com\/articles\/article.asp?p=603037&rl=1.  ]]Fogie S. 2006. XSS cookies and session ID authentication: Three ingredients for a successful hack. Pearson Education Inc. http:\/\/www.informit.com\/articles\/article.asp?p=603037&rl=1."},{"key":"e_1_2_1_16_1","unstructured":"]]Gold R. 2004. HTTPUnit home. http:\/\/httpunit.sourceforge.net\/.  ]]Gold R. 2004. HTTPUnit home. http:\/\/httpunit.sourceforge.net\/."},{"key":"e_1_2_1_17_1","unstructured":"]]Google. 2007. Google analytics. Google. http:\/\/www.google.com\/analytics\/.  ]]Google. 2007. Google analytics. Google. http:\/\/www.google.com\/analytics\/."},{"key":"e_1_2_1_18_1","unstructured":"]]Iron. 2008. EazyPortal &lt;&equals; 1.0 SQL injection exploit. milw0rm.com. http:\/\/milw0rm.com\/exploits\/5196.  ]]Iron. 2008. EazyPortal &lt;&equals; 1.0 SQL injection exploit. milw0rm.com. http:\/\/milw0rm.com\/exploits\/5196."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.8"},{"key":"e_1_2_1_20_1","doi-asserted-by":"crossref","unstructured":"]]Kals S. 2007. SecuBat. http:\/\/www.secubat.org\/.  ]]Kals S. 2007. SecuBat. http:\/\/www.secubat.org\/.","DOI":"10.1145\/1135777.1135817"},{"key":"e_1_2_1_21_1","doi-asserted-by":"crossref","unstructured":"]]Kristol D. and Montulli L. 1997. RFC 2109: HTTP state management mechanism. Internet Engineering Task Force. http:\/\/www.ietf.org\/rfc\/rfc2109.txt.   ]]Kristol D. and Montulli L. 1997. RFC 2109: HTTP state management mechanism. Internet Engineering Task Force. http:\/\/www.ietf.org\/rfc\/rfc2109.txt.","DOI":"10.17487\/rfc2109"},{"key":"e_1_2_1_22_1","doi-asserted-by":"crossref","unstructured":"]]Kristol D. and Montulli L. 2000. RFC 2965: HTTP state management mechanism. Internet Engineering Task Force. http:\/\/www.ietf.org\/rfc\/rfc2965.txt.   ]]Kristol D. and Montulli L. 2000. RFC 2965: HTTP state management mechanism. Internet Engineering Task Force. http:\/\/www.ietf.org\/rfc\/rfc2965.txt.","DOI":"10.17487\/rfc2965"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/502152.502153"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.5555\/786446.786474"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.1995.497647"},{"key":"e_1_2_1_26_1","unstructured":"]]Microsoft Corp. 2002. No cookies for you&excl; Internet explorer service pack helps thwart cross-site script attacks. Microsoft Corp. http:\/\/www.microsoft.com\/presspass\/features\/2002\/oct02\/10-23xss-ie.mspx.  ]]Microsoft Corp. 2002. No cookies for you&excl; Internet explorer service pack helps thwart cross-site script attacks. Microsoft Corp. http:\/\/www.microsoft.com\/presspass\/features\/2002\/oct02\/10-23xss-ie.mspx."},{"key":"e_1_2_1_27_1","unstructured":"]]Microsoft Corp. 2007. Mitigating cross-site scripting with HTTP-only cookies. http:\/\/msdn2.microsoft.com\/en-us\/library\/ms533046.aspx.  ]]Microsoft Corp. 2007. Mitigating cross-site scripting with HTTP-only cookies. http:\/\/msdn2.microsoft.com\/en-us\/library\/ms533046.aspx."},{"key":"e_1_2_1_28_1","unstructured":"]]Mozilla Corp. 2006. Firefox. http:\/\/www.mozilla.com\/firefox\/.  ]]Mozilla Corp. 2006. Firefox. http:\/\/www.mozilla.com\/firefox\/."},{"key":"e_1_2_1_29_1","unstructured":"]]Net Applications. 2006. Browser market share. Net Applications. http:\/\/marketshare.hitslink.com\/report.aspx?qprid=0.  ]]Net Applications. 2006. Browser market share. Net Applications. http:\/\/marketshare.hitslink.com\/report.aspx?qprid=0."},{"key":"e_1_2_1_30_1","unstructured":"]]Nielsen\/\/NetRatings. 2007. Nielsen\/\/NetRatings announces March U.S. search share rankings.  ]]Nielsen\/\/NetRatings. 2007. Nielsen\/\/NetRatings announces March U.S. search share rankings."},{"key":"e_1_2_1_31_1","unstructured":"]]Nielsen\/\/NetRatings. http:\/\/www.netratings.com\/pr\/pr_070320.pdf.  ]]Nielsen\/\/NetRatings. http:\/\/www.netratings.com\/pr\/pr_070320.pdf."},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2004.13"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/4236.865085"},{"key":"e_1_2_1_34_1","unstructured":"]]PHP Group. 2008. The PHP manual: Magic quotes. http:\/\/ca.php.net\/magic_quotes.  ]]PHP Group. 2008. The PHP manual: Magic quotes. http:\/\/ca.php.net\/magic_quotes."},{"key":"e_1_2_1_35_1","unstructured":"]]Rathaus N. 2004. PlaySMS SQL injetion via cookie. Beyond Security. http:\/\/www.securiteam.com\/unixfocus\/5UP0F2ADPS.html.  ]]Rathaus N. 2004. PlaySMS SQL injetion via cookie. Beyond Security. http:\/\/www.securiteam.com\/unixfocus\/5UP0F2ADPS.html."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2007.1004"},{"volume-title":"Proceedings of the IEEE 23rd International Conference on Software Engineering.","author":"Ricca F.","key":"e_1_2_1_37_1"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.5555\/647067.715354"},{"key":"e_1_2_1_39_1","unstructured":"]]Secunia. 2005a. PaFileDB administrative user authentication SQL injection. http:\/\/secunia.com\/advisories\/16566\/.  ]]Secunia. 2005a. PaFileDB administrative user authentication SQL injection. http:\/\/secunia.com\/advisories\/16566\/."},{"key":"e_1_2_1_40_1","unstructured":"]]Secunia. 2005b. phpCOIN SQL injection and file inclusion vulnerabilities. http:\/\/secunia.com\/advisories\/21624.  ]]Secunia. 2005b. phpCOIN SQL injection and file inclusion vulnerabilities. http:\/\/secunia.com\/advisories\/21624."},{"key":"e_1_2_1_41_1","unstructured":"]]Secunia. 2006. e107 cookie parameter SQL injection vulnerability. http:\/\/secunia.com\/advisories\/20089\/.  ]]Secunia. 2006. e107 cookie parameter SQL injection vulnerability. http:\/\/secunia.com\/advisories\/20089\/."},{"key":"e_1_2_1_42_1","unstructured":"]]SecuriTeam. 2004. Internet software sciences's Web+Center SQL injection. Beyond Security. http:\/\/www.securiteam.com\/windowsntfocus\/5RP0N0ADGK.html.  ]]SecuriTeam. 2004. Internet software sciences's Web+Center SQL injection. Beyond Security. http:\/\/www.securiteam.com\/windowsntfocus\/5RP0N0ADGK.html."},{"key":"e_1_2_1_43_1","unstructured":"]]SecuriTeam. 2008. MyBB SQL injetion (exploit). Beyond Security. http:\/\/www.securiteam.com\/exploits\/5GP0E1PI0Y.html.  ]]SecuriTeam. 2008. MyBB SQL injetion (exploit). Beyond Security. http:\/\/www.securiteam.com\/exploits\/5GP0E1PI0Y.html."},{"key":"e_1_2_1_44_1","unstructured":"]]Security Space. 2006a. Internet cookie report. E-Soft Inc. http:\/\/www.securityspace.com\/s_survey\/data\/man.200609\/cookieReport.html.  ]]Security Space. 2006a. Internet cookie report. E-Soft Inc. http:\/\/www.securityspace.com\/s_survey\/data\/man.200609\/cookieReport.html."},{"key":"e_1_2_1_45_1","unstructured":"]]Security Space. 2006b. Technology penetration report. E-Soft Inc. http:\/\/www.securityspace.com\/s_survey\/data\/man.200610\/techpen.html.  ]]Security Space. 2006b. Technology penetration report. E-Soft Inc. http:\/\/www.securityspace.com\/s_survey\/data\/man.200610\/techpen.html."},{"key":"e_1_2_1_46_1","unstructured":"]]Smith R. M. 1999. The Web bug FAQ. Electronic Frontier Foundation. http:\/\/www.eff.org\/Privacy\/Marketing\/web_bug.html.  ]]Smith R. M. 1999. The Web bug FAQ. Electronic Frontier Foundation. http:\/\/www.eff.org\/Privacy\/Marketing\/web_bug.html."},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/ADC.2005.11"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2008.18"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.4018\/jitwe.2006040101"},{"volume-title":"Proceedings of the Western Australian Workshop on Information Systems Research.","author":"Tezinde T.","key":"e_1_2_1_50_1"},{"key":"e_1_2_1_51_1","unstructured":"]]TheCounter.com. 2006. Browser stats. Jupitermedia Corporation. http:\/\/www.thecounter.com\/stats\/2006\/October\/browser.php.  ]]TheCounter.com. 2006. Browser stats. Jupitermedia Corporation. http:\/\/www.thecounter.com\/stats\/2006\/October\/browser.php."},{"volume-title":"Proceedings of the IEEE 6th International Workshop on Web Site Evolution, 11--19","author":"Tonella P.","key":"e_1_2_1_52_1"},{"key":"e_1_2_1_53_1","unstructured":"]]Verton R. 2007. WebSpell authentication bypass and arbitrary code execution. NEOHAPSIS. http:\/\/archives.neohapsis.com\/archives\/bugtraq\/2007-02\/0426.html.  ]]Verton R. 2007. WebSpell authentication bypass and arbitrary code execution. NEOHAPSIS. http:\/\/archives.neohapsis.com\/archives\/bugtraq\/2007-02\/0426.html."},{"key":"e_1_2_1_54_1","unstructured":"]]Vind J. 2007. Critical SQL injection in NukeSentinel 2.5.12. http:\/\/www.waraxe.us\/advisory-58.html.  ]]Vind J. 2007. Critical SQL injection in NukeSentinel 2.5.12. http:\/\/www.waraxe.us\/advisory-58.html."},{"volume-title":"Proceedings of the IEEE 3rd International High-Assurance Systems Engineering Symposium. 262--269","author":"von Mayrhause A.","key":"e_1_2_1_55_1"},{"key":"e_1_2_1_56_1","unstructured":"]]W3 Schools. 2006. Browser statistics. Refsnes Data. http:\/\/www.w3schools.com\/browsers\/browsers_stats.asp.  ]]W3 Schools. 2006. Browser statistics. Refsnes Data. http:\/\/www.w3schools.com\/browsers\/browsers_stats.asp."},{"key":"e_1_2_1_57_1","unstructured":"]]W3C. 2006. Platform for privacy preferences (P3P) project. W3C. http:\/\/www.w3.org\/P3P\/.  ]]W3C. 2006. Platform for privacy preferences (P3P) project. W3C. http:\/\/www.w3.org\/P3P\/."},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/1039174.1039200"},{"key":"e_1_2_1_59_1","unstructured":"]]Yahoo&excl; Inc. 2006. Yahoo&excl; search marketing. http:\/\/www.content.overture.com\/d\/.  ]]Yahoo&excl; Inc. 2006. Yahoo&excl; search marketing. http:\/\/www.content.overture.com\/d\/."},{"volume-title":"Proceedings of the 8th International Symposium On Software Reliability Engineering. 84--95","author":"Yin H.","key":"e_1_2_1_60_1"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2007.21"},{"key":"e_1_2_1_62_1","unstructured":"]]Zalewski M. 2006. Cross site cooking. Beyond Security. http:\/\/www.securiteam.com\/securityreviews\/5EP0L2KHFG.html.  ]]Zalewski M. 2006. Cross site cooking. Beyond Security. http:\/\/www.securiteam.com\/securityreviews\/5EP0L2KHFG.html."}],"container-title":["ACM Transactions on the Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1541822.1541824","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1541822.1541824","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T12:18:08Z","timestamp":1750249088000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1541822.1541824"}},"subtitle":["A deployment study and the testing implications"],"short-title":[],"issued":{"date-parts":[[2009,6]]},"references-count":62,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2009,6]]}},"alternative-id":["10.1145\/1541822.1541824"],"URL":"https:\/\/doi.org\/10.1145\/1541822.1541824","relation":{},"ISSN":["1559-1131","1559-114X"],"issn-type":[{"type":"print","value":"1559-1131"},{"type":"electronic","value":"1559-114X"}],"subject":[],"published":{"date-parts":[[2009,6]]},"assertion":[{"value":"2007-06-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2009-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2009-07-03","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}