CookieChecker: Automated Compliance Analysis for Cookie Security Settings in Real-World Web Environments

Web cookies play a vital role in web security, particularly in web authentication and session management. While they improve the browsing experience, they can also introduce security risks if not properly managed. To tackle these security concerns, the Internet Engineering Task Force (IETF) published a series of technical guidelines. However, in practice, cookie security mechanisms are either improperly implemented or not fully aligned with existing standards, leading to significant security issues in web environments. A comprehensive analysis of the compliance of cookie security settings in real-world implementations with IETF technical guidelines is essential for identifying security vulnerabilities and risks in web environments. In this paper, we conduct a thorough analysis of the Request for Comments (RFC) documents and MDN resources, with a specific focus on cookie security considerations. We propose a cookie analysis prompt for Large Language Models (LLMs) to efficiently and comprehensively assess standards and documents. We identified 8 unrecognized web invariants. Using the Web Platform Tests (WPT) framework, we performed extensive tests on the latest kernel versions of Firefox and Chromium, uncovering cookie name prefixes, attribute issues, and cookie unsafe sending vulnerabilities that require attention.