Saturday, July 4, 2015

How are cookies passed in the HTTP protocol?



https://www.owasp.org/index.php/SecureFlag
https://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/#gref
Securing cookies is an important subject. Think about an authentication cookie. When the attacker is able to grab this cookie, he can impersonate the user.

the cookie with a secure flag will only be sent over an HTTPS connection.

https://stackoverflow.com/questions/13729749/how-does-cookie-secure-flag-work
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).
http://stackoverflow.com/questions/3467114/how-are-cookies-passed-in-the-http-protocol
The server sends a
Set-Cookie: name=value
in its response header to set the field. If there is a cookie set then the browser sends a
Cookie: name=value
in its request header
http://www.nczonline.net/blog/2009/05/05/http-cookies-explained/
Quite simply, a cookie is a small text file that is stored by a browser on the user’s machine. A web page or server instructs a browser to store this information and then send it back with each subsequent request based on a set of rules. Web servers can then use this information to identify individual users.

Set-Cookie: name=Nicholas; expires=Sat, 02 May 2009 23:38:25 GMT

The next option is domain, which indicates the domain(s) for which the cookie should be sent. By default, domain is set to the host name of the page setting the cookie, so the cookie value is sent whenever a request is made to the same host name.

The browser performs a tail comparison of this value and the host name to which a request is sent (meaning it starts the comparison from the end of the string) and sends the corresponding Cookie header when there’s a match.

The value set for the domain option must be part of the host name that is sending the Set-Cookie header. Invalid domain options are simply ignored.

Set-Cookie: name=Nicholas; path=/blog

A secure cookie will only be sent to the server when a request is made using SSL and the HTTPS protocol. The idea that the contents of the cookie are of high value and could be potentially damaging to transmit as clear text.

In reality, confidential or sensitive information should never be stored or transmitted in cookies as the entire mechanism is inherently insecure. By default, cookies set over an HTTPS connection are automatically set to be secure.


However, due to the browser mechanism to set and read cookies, they can be used as spyware (see zombie cookie and evercookie for more details). Anti-spyware products may warn users about some cookies because cookies can be used to track computer activity—a privacy concern, later causing possible malware.

https://en.wikipedia.org/wiki/HTTP_cookie
Zombie cookie
Zombie cookies are cookies that are automatically recreated after being deleted. This is accomplished with the help of a client-side script. The script starts by storing the cookie's content in multiple locations, such as Flash local storage, HTML5 storage, and other client-side storage locations. When the script detects the cookie's absence, it recreates the cookie using the data stored in these locations.

Labels

Review (572) System Design (334) System Design - Review (198) Java (189) Coding (75) Interview-System Design (65) Interview (63) Book Notes (59) Coding - Review (59) to-do (45) Linux (43) Knowledge (39) Interview-Java (35) Knowledge - Review (32) Database (31) Design Patterns (31) Big Data (29) Product Architecture (28) MultiThread (27) Soft Skills (27) Concurrency (26) Cracking Code Interview (26) Miscs (25) Distributed (24) OOD Design (24) Google (23) Career (22) Interview - Review (21) Java - Code (21) Operating System (21) Interview Q&A (20) System Design - Practice (20) Tips (19) Algorithm (17) Company - Facebook (17) Security (17) How to Ace Interview (16) Brain Teaser (14) Linux - Shell (14) Redis (14) Testing (14) Tools (14) Code Quality (13) Search (13) Spark (13) Spring (13) Company - LinkedIn (12) How to (12) Interview-Database (12) Interview-Operating System (12) Solr (12) Architecture Principles (11) Resource (10) Amazon (9) Cache (9) Git (9) Interview - MultiThread (9) Scalability (9) Trouble Shooting (9) Web Dev (9) Architecture Model (8) Better Programmer (8) Cassandra (8) Company - Uber (8) Java67 (8) Math (8) OO Design principles (8) SOLID (8) Design (7) Interview Corner (7) JVM (7) Java Basics (7) Kafka (7) Mac (7) Machine Learning (7) NoSQL (7) C++ (6) Chrome (6) File System (6) Highscalability (6) How to Better (6) Network (6) Restful (6) CareerCup (5) Code Review (5) Hash (5) How to Interview (5) JDK Source Code (5) JavaScript (5) Leetcode (5) Must Known (5) Python (5)

Popular Posts