Active Cookies for Browser Authentication

We propose active cookies as a tool for stronger user/client authentication on the Web. An ordinary cookie is automatically released to any server associated with a particular domain name. It is therefore vulnerable to capture by pharming, that is, spoofing of domain names. An active cookie, by contrast, resists such pharming attacks. Active cookies rely on a new protocol we propose that channels client communications to a specific, valid IP address. This protocol exploits a combination of cookie-based (or cached-object-based) authentication with a new type of IP-tracing protocol. This IP-tracing protocol helps defend against the presence of an attacker in the loop during an authentication session, but is unaffected by IP-address changes in clients