{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,19]],"date-time":"2026-05-19T12:36:02Z","timestamp":1779194162118,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":34,"publisher":"ACM","license":[{"start":{"date-parts":[[2016,5,30]],"date-time":"2016-05-30T00:00:00Z","timestamp":1464566400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2016,5,30]]},"DOI":"10.1145\/2897845.2897889","type":"proceedings-article","created":{"date-parts":[[2016,5,27]],"date-time":"2016-05-27T12:37:36Z","timestamp":1464352656000},"page":"675-685","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":15,"title":["Half-Baked Cookies"],"prefix":"10.1145","author":[{"given":"Yogesh","family":"Mundada","sequence":"first","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nick","family":"Feamster","sequence":"additional","affiliation":[{"name":"Princeton University, Princeton, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Balachander","family":"Krishnamurthy","sequence":"additional","affiliation":[{"name":"AT&amp;T Labs Research, New Jersey, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2016,5,30]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.5555\/645920.672836"},{"key":"e_1_3_2_1_2_1","unstructured":"Unsafe cookies leave WordPress accounts open to hijacking 2-factor bypass. Ars Technica. http:\/\/goo.gl\/B1qLF7 May 2014.  Unsafe cookies leave WordPress accounts open to hijacking 2-factor bypass. Ars Technica. http:\/\/goo.gl\/B1qLF7 May 2014."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.17487\/rfc3833"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.17487\/rfc6454"},{"key":"e_1_3_2_1_5_1","unstructured":"Bigcommerce: Ecommerce Software & Shopping Cart. https:\/\/www.bigcommerce.com\/ .  Bigcommerce: Ecommerce Software & Shopping Cart. https:\/\/www.bigcommerce.com\/ ."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-04897-0_11"},{"key":"e_1_3_2_1_7_1","unstructured":"E. Butler. A Firefox extension that demonstrates HTTP session hijacking attacks. http:\/\/codebutler.github.io\/firesheep\/ 2010.  E. Butler. A Firefox extension that demonstrates HTTP session hijacking attacks. http:\/\/codebutler.github.io\/firesheep\/ 2010."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2566486.2568047"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-30823-9_5"},{"key":"e_1_3_2_1_10_1","volume-title":"Internet Engineering Task Force","author":"Fielding R.","year":"1999","unstructured":"R. Fielding , J. Gettys , J. Mogul , H. Frystyk , L. Masinter , P. Leach , and T. Berners-Lee . Hyptertext Transfer Protocol -- HTTP\/1.1 . Internet Engineering Task Force , June 1999 . RFC 2616. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hyptertext Transfer Protocol -- HTTP\/1.1. Internet Engineering Task Force, June 1999. RFC 2616."},{"key":"e_1_3_2_1_11_1","volume-title":"Proc. 10th USENIX Security Symposium","author":"Fu K.","year":"2001","unstructured":"K. Fu , E. Sit , K. Smith , and N. Feamster . Dos and don'ts of client authentication on the Web . In Proc. 10th USENIX Security Symposium , Washington, DC , Aug. 2001 . K. Fu, E. Sit, K. Smith, and N. Feamster. Dos and don'ts of client authentication on the Web. In Proc. 10th USENIX Security Symposium, Washington, DC, Aug. 2001."},{"key":"e_1_3_2_1_12_1","volume-title":"Retrieved","year":"2015","unstructured":"Hamster. https:\/\/github.com\/robertdavidgraham\/hamster , Retrieved Feb. 2015 . Hamster. https:\/\/github.com\/robertdavidgraham\/hamster, Retrieved Feb. 2015."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.17487\/rfc6797"},{"key":"e_1_3_2_1_14_1","volume-title":"Retrieved","year":"2015","unstructured":"HttpOnly. https:\/\/www.owasp.org\/index.php\/HttpOnly , Retrieved Feb. 2015 . HttpOnly. https:\/\/www.owasp.org\/index.php\/HttpOnly, Retrieved Feb. 2015."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/1367497.1367569"},{"key":"e_1_3_2_1_16_1","volume-title":"NDSS '15: The 2015 Network and Distributed System Security Symposium","author":"Kranch M.","year":"2015","unstructured":"M. Kranch and J. Bonneau . Upgrading https in midair: Hsts and key pinning in practice . In NDSS '15: The 2015 Network and Distributed System Security Symposium , February 2015 . M. Kranch and J. Bonneau. Upgrading https in midair: Hsts and key pinning in practice. In NDSS '15: The 2015 Network and Distributed System Security Symposium, February 2015."},{"key":"e_1_3_2_1_17_1","unstructured":"Magento: Ecommerce Software & Ecommerce Platform. http:\/\/magento.com\/ Retrieved Feb. 2015.  Magento: Ecommerce Software & Ecommerce Platform. http:\/\/magento.com\/ Retrieved Feb. 2015."},{"key":"e_1_3_2_1_18_1","unstructured":"Nbtool. https:\/\/wiki.skullsecurity.org\/Nbtool.  Nbtool. https:\/\/wiki.skullsecurity.org\/Nbtool."},{"key":"e_1_3_2_1_19_1","unstructured":"Newton: Detailed Evaluation. https:\/\/goo.gl\/Rj7Vvw.  Newton: Detailed Evaluation. https:\/\/goo.gl\/Rj7Vvw."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.5555\/1946341.1946351"},{"key":"e_1_3_2_1_21_1","volume-title":"OWASP Top 10 Application Security Risks -","author":"OWASP.","year":"2010","unstructured":"OWASP. OWASP Top 10 Application Security Risks - 2010 . https:\/\/www.owasp.org\/index.php\/Top_10_2010-Main, 2010. OWASP. OWASP Top 10 Application Security Risks - 2010. https:\/\/www.owasp.org\/index.php\/Top_10_2010-Main, 2010."},{"key":"e_1_3_2_1_22_1","unstructured":"Appu: FPI examples. https:\/\/goo.gl\/qcllbR.  Appu: FPI examples. https:\/\/goo.gl\/qcllbR."},{"key":"e_1_3_2_1_23_1","unstructured":"OWASP\n  : Double Submit Cookies. http:\/\/goo.gl\/qmW7o5 Retrieved Feb. 2015.  OWASP: Double Submit Cookies. http:\/\/goo.gl\/qmW7o5 Retrieved Feb. 2015."},{"key":"e_1_3_2_1_24_1","volume-title":"Retrieved","author":"Testing","year":"2015","unstructured":"Testing for cookies attributes. https:\/\/www.owasp.org\/index.php\/Testing_for_cookies_attributes_(OWASP-SM-002) , Retrieved Feb. 2015 . Testing for cookies attributes. https:\/\/www.owasp.org\/index.php\/Testing_for_cookies_attributes_(OWASP-SM-002), Retrieved Feb. 2015."},{"key":"e_1_3_2_1_25_1","volume-title":"9th USENIX Symposium on Networked Systems Design and Implementation. NSDI 2012","author":"Roesner F.","year":"2012","unstructured":"F. Roesner , T. Kohno , and D. Wetherall . Detecting and defending against third-party tracking on the web . In 9th USENIX Symposium on Networked Systems Design and Implementation. NSDI 2012 , 2012 . F. Roesner, T. Kohno, and D. Wetherall. Detecting and defending against third-party tracking on the web. In 9th USENIX Symposium on Networked Systems Design and Implementation. NSDI 2012, 2012."},{"key":"e_1_3_2_1_26_1","unstructured":"Seclist Advisory: Weak RNG in PHP session ID generation leads to session hijacking. http:\/\/seclists.org\/fulldisclosure\/2010\/Mar\/519 Retrieved Feb. 2015.  Seclist Advisory: Weak RNG in PHP session ID generation leads to session hijacking. http:\/\/seclists.org\/fulldisclosure\/2010\/Mar\/519 Retrieved Feb. 2015."},{"key":"e_1_3_2_1_27_1","unstructured":"Selenium Web application testing system. http:\/\/www.seleniumhq.org.  Selenium Web application testing system. http:\/\/www.seleniumhq.org."},{"key":"e_1_3_2_1_28_1","volume-title":"Retrieved","author":"Session","year":"2015","unstructured":"Session hijacking attack. https:\/\/www.owasp.org\/index.php\/Session_hijacking_attack , Retrieved Feb. 2015 . Session hijacking attack. https:\/\/www.owasp.org\/index.php\/Session_hijacking_attack, Retrieved Feb. 2015."},{"key":"e_1_3_2_1_29_1","volume-title":"Retrieved on","author":"Pulse SSL","year":"2014","unstructured":"SSL Pulse : Survey of the SSL Implementation of the Most Popular Web Sites. https:\/\/www.trustworthyinternet.org\/ssl-pulse\/ , Retrieved on Nov , 2014 . SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites. https:\/\/www.trustworthyinternet.org\/ssl-pulse\/, Retrieved on Nov, 2014."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046777"},{"key":"e_1_3_2_1_31_1","volume-title":"Retrieved","author":"Software Volusion Ecommerce","year":"2015","unstructured":"Volusion Ecommerce Software & Shopping Cart Solutions . http:\/\/www.volusion.com\/ , Retrieved Feb. 2015 . Volusion Ecommerce Software & Shopping Cart Solutions. http:\/\/www.volusion.com\/, Retrieved Feb. 2015."},{"key":"e_1_3_2_1_32_1","volume-title":"Proceedings of the 7th USENIX Workshop on Hot Topics in Security, HotSec '12","author":"Walls R. J.","year":"2012","unstructured":"R. J. Walls , S. S. Clark , and B. N. Levine . Functional privacy or why cookies are better with milk . In Proceedings of the 7th USENIX Workshop on Hot Topics in Security, HotSec '12 , Bellevue, WA , Aug. 2012 . R. J. Walls, S. S. Clark, and B. N. Levine. Functional privacy or why cookies are better with milk. In Proceedings of the 7th USENIX Workshop on Hot Topics in Security, HotSec '12, Bellevue, WA, Aug. 2012."},{"key":"e_1_3_2_1_33_1","unstructured":"WooCommerce - a free eCommerce toolkit for WordPress. http:\/\/www.woothemes.com\/woocommerce\/ .  WooCommerce - a free eCommerce toolkit for WordPress. http:\/\/www.woothemes.com\/woocommerce\/ ."},{"key":"e_1_3_2_1_34_1","first-page":"707","volume-title":"Proceedings of the 24th USENIX Conference on Security Symposium, SEC'15","author":"Zheng X.","year":"2015","unstructured":"X. Zheng , J. Jiang , J. Liang , H. Duan , S. Chen , T. Wan , and N. Weaver . Cookies lack integrity: Real-world implications . In Proceedings of the 24th USENIX Conference on Security Symposium, SEC'15 , pages 707 -- 721 , Berkeley, CA, USA , 2015 . USENIX Association. X. Zheng, J. Jiang, J. Liang, H. Duan, S. Chen, T. Wan, and N. Weaver. Cookies lack integrity: Real-world implications. In Proceedings of the 24th USENIX Conference on Security Symposium, SEC'15, pages 707--721, Berkeley, CA, USA, 2015. USENIX Association."}],"event":{"name":"ASIA CCS '16: ACM Asia Conference on Computer and Communications Security","location":"Xi'an China","acronym":"ASIA CCS '16","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897845.2897889","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2897845.2897889","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T05:07:01Z","timestamp":1750223221000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897845.2897889"}},"subtitle":["Hardening Cookie-Based Authentication for the Modern Web"],"short-title":[],"issued":{"date-parts":[[2016,5,30]]},"references-count":34,"alternative-id":["10.1145\/2897845.2897889","10.1145\/2897845"],"URL":"https:\/\/doi.org\/10.1145\/2897845.2897889","relation":{},"subject":[],"published":{"date-parts":[[2016,5,30]]},"assertion":[{"value":"2016-05-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}