CookieMonster
今まで見逃してたけど、CookieMonsterの対策方法はRFC2965に書いてあった。
http://www.ietf.org/rfc/rfc2965.txt
7.2 Cookie Spoofing Proper application design can avoid spoofing attacks from related domains. Consider: 1. User agent makes request to victim.cracker.edu, gets back cookie session_id="1234" and sets the default domain victim.cracker.edu. 2. User agent makes request to spoof.cracker.edu, gets back cookie session-id="1111", with Domain=".cracker.edu". 3. User agent makes request to victim.cracker.edu again, and passes Cookie: $Version="1"; session_id="1234", $Version="1"; session_id="1111"; $Domain=".cracker.edu" The server at victim.cracker.edu should detect that the second cookie was not one it originated by noticing that the Domain attribute is not for itself and ignore it.
自分が発行したCookieのDomain属性は自分で認識出来るので、怪しげなCookieが送られてきたらはじくことが出来ますね。
ブラウザはSet-Cookie2を実装すべきだと思うんだけど、今のところ対応しているのはOperaぐらい?