CookieChecker: Automated Cookie Setting Compliance Analysis in Real-World Web Environments

Web cookies play a vital role in web security, particularly in web authentication and session management. While they improve the browsing experience, they can also introduce security risks if not properly managed. To tackle these security concerns, the internet engineering task force (IETF) published a series of technical guidelines. However, in practice, cookie security mechanisms are either improperly implemented or not fully aligned with existing standards, leading to significant security issues in web environments. A comprehensive analysis of the compliance of cookie security settings in real-world implementations with IETF technical guidelines is essential for identifying security vulnerabilities and risks in web environments. In this paper, we conduct a thorough analysis of the request for comments (RFC) documents and MDN Web Docs resources, with a specific focus on cookie security considerations. We propose a cookie analysis prompt for large language models (LLMs) to efficiently and comprehensively assess standards and documents. We identified 8 unrecognized web invariants. Using the web platform tests (WPT) framework, we performed extensive tests on the latest kernel versions of Firefox and Chromium, uncovering cookie name prefixes, attribute issues, and cookie unsafe sending vulnerabilities that require attention. We carried out an in-depth examination of the security attributes and prefixes associated with cookies on the top 10K websites. Our findings reveal that mainstream browsers have collectively demonstrated 56 violations of standards across 15 WPT cases including incorrect security attribute configurations, improper prefix settings, and insecure cookie storage. Additionally, only 3.52% of websites implement the SameSite attribute, while 40.95% fully apply the Secure attribute, and 31.08% provide HttpOnly protection. We also observed that 6 websites feature cookie settings that deviate from the standard, which may result in improper cookie assignments when accessed via browsers. Our findings highlight significant deviations from standards in the real world, potentially leading to inappropriate cookie assignments and security risks.