HTTP Cookies

HTTP Cookies

HTTP is a stateless protocol. Whenever a user makes a request to the server, the server opens a connection, downloads the page accessed and closes the connection. If the same user comes for the second time, the browser won't be having any idea whether the request came from same user or a different user.

 Now how does it matter to a  novice user.

Imagine accessing any social networking site and every page navigating like a profile visit you do, requiring user name/password like an ATM transaction in India. This would mean a nightmare for the user and head ache for the social networking site in handling repeating logins.

From a technical perspective, this would mean every page navigated by user is a new transaction, (without any cookies concept), for every request the social network site server would say, and who are you? Prove your identity.

Cookies solves this problem by storing a plain text data in a user agent (we call it a browser). Post sign-in, on every page accessed by the user, browser returns this text data (Cookie) to the server hosting the social networking site. The server would have a mechanism to decrypt text data, and validate the user. This ensures that the user doesn't have to log-in every time for every page access and on the flip side, the server got a mechanism to valid their users for every page access, without passing username and password for every transaction.

Contents:

1. Name Cookies
2. About Cookies
3. Cookies Storage
4. Cookies Content
5. Types of Cookies
6. Advantages for Cookies
7. Attacks using Cookies
8. Cookie Guidelines- Laws for Cookies

Name Cookies:

No one has exact information about this. so do I :)   

The name Cookies comes from the word 'Magic cookie' and term came from Netscape Corporation.

About Cookies:

A Cookie is a small text data which is created and stored in the user’s browser by the web application. This information is passed on to the web server by the browser on subsequent request, facilitating session management, personalization.

Cookies Content

Name: Each cookie will have a Name. This name would enable each cookie to be identified uniquely.

Name is mandatory for any cookie.

Content: This is the actual text that stores the information. The web application would retrieve this value to make a decision. Cookie content is mandatory for cookie.

Domain of a cookie: Each cookie has a domain which is related to the domain of the web application that has created it. It helps in determining the scope of a cookie.

This domain helps in serving the privacy policy, where the guidelines say that a browser has to send cookies specific to that particular domain only which means that though a browser has cookies related to both facebook and gmail stored in it. It cannot send the facebook cookies to the gmail server.

             Each domain can have a maximum of 20 cookies.

Path: This value along with the Domain name helps in determining the scope of a cookie.  Its a  URI.

Expires: This indicates the expiration time or maximum age for a cookie.

 If time is specified, it must be a GMT time, with

the date specified in the form of “Wdy, DD Mon YYYY HH:MM:SS GMT” indicating the exact date/time the cookie will expire.

Secure: HttpOnly attribute determines that cookie is meant to be used in secure connection only .i.e SSL.

Cookies Storage 
     

       Cookies are stored in the client machine. It can either be the browser(chrome, firefox) or client hard disk.

Server doesn't have to maintain these cookies.

Types of Cookies

 Cookies are classified into two types based on their storage.

1. Session cookies 
2. Persistent Cookies

Session cookies are specific to a browser session. These are stored in the memory of a browser. If a user closes the browser, these cookies would be deleted.

Example would be User ID of a particular user login to a site 

Persistent cookies: These cookies are stored on user’s hard disk in a file. Even if browsers are closed and opened, these cookies will not be deleted.

Example would be any site with a different language offering would love to show the site in your preferred language on your second visit without you having to set the language preference every time.

Advantages for Cookies 

1. Ability to personalize information: It provides a mechanism for the server to show information more relevant to a user. Example: when a user types language, the search engine would return different results for a different user.  A Software professional might get list of programming languages and a general user gets list of regional languages in that specific area.
2. Single Sign on for all web applications like Facebook, gmail, any banking site. We call it session management.
3. Storing demographic information like country, language, preferences etc.

Attacks using Cookies and disadvantages.

1. Cookies can easily be stolen using cross site scripting, this would allow replay attacks. If the server, doesn't have a mechanism to prevent replay attacks, security of the sites is compromised.

2. A web server doesn't have a mechanism to prevent user from deleting or tampering cookies. Deleting cookies, results in failure of task of personalization.

 3. No Central storage for cookies, each browser stores cookies in its own location. With multiple browsers installed on a single machine, a preference set on one browser is not known to the other browser.

Cookie Guidelines- Laws for Cookies

 People call it Cookie law:
1. Websites to obtain consent from visitors to store or retrieve any information on a computer
2. To protect online privacy by making consumers aware of how information about them is collected by websites, and enabling them to choose whether or

Facebook privacy for cookies can
be found at highlighted region

not they want it to happen.


Example:

yahoo privacy policy
http://info.yahoo.com/privacy/us/yahoo/cookies/
Facebook privacy policy can be found here:
https://www.facebook.com/help/cookies



Thanks to my friends in supporting me. I wish, i could name them here, only if the world was not so bad.