Cookies.NET Security Summer 2006 CS795/895 Hadi Arbabi

Maintaining State Information Query strings Are visible to the user, should not contain secure information View state ViewState property as hidden fields on page Session state Local to current session (single user) Application state Available to all users of application Cookies Store small amount of information on a client (if not refused)

What Are Cookies? A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the application can read whenever the user visits the site. Cookies are normally written to the user's disk. The Browser looks on the local hard disk for a cookie associated with the URL. If the cookie exists, the browser sends the cookie to your site along with the page request. Cookies are used for all sorts of purposes, all relating to helping the Web site remember you.

Properties Cookies are associated with a Web site, not with a specific page. As the user visits different sites, each site might send a cookie to the user's browser as well. The browser stores all the cookies separately. Most browsers support cookies of up to 4096 bytes. Most browsers allow only 20 cookies per site; if you try to store more, the oldest cookies are discarded. Cookies are stored by Name, so if you create two cookies with the same name, one overwrites the other. Different browsers store cookies in different ways. Cookies are case sensitive.

Properties IE5 and higher store cookies in this way: C:\Documents and Settings\ NOTE: You can open the cookie with a text editor. If the file contains multiple cookies, they are separated with an asterisk (*). The first line of each cookie is its name, and the second has the values. The remaining lines have cookie housekeeping information such as the expiration date and time. There is also a simple checksum in the cookie; if you change the length of the cookie name or value, the browser will detect the tampering and will discard the cookie.

Approaches Two approaches when storing and retrieving user information through cookies: 1. Store all the user information as a cookie on the client’s computer It is useful when user information is simple and is not required on the server for any tasks. 2. Store an identification key on client’s machine, and then retrieve user information from a data source on the server using that identification key It is the best for storing more extensive information.

HttpCookie Class in.NET Public Properties DomainGets or sets the domain to associate the cookie with ExpiresGets or sets the expiration date and time for the cookie HasKeysGets a value indicating whether a cookie has subkeys NameGets or sets the name of a cookie PathGets or sets the virtual path to transmit with the current cookie SecureGets or sets a value indicating whether to transmit the cookie securely (that is, over HTTPS only) ValueGets or sets an individual cookie value ValuesGets a collection of key-and-value value pairs that are contained within a single cookie object

Using Cookies U sers can set their browser to refuse cookies. The application should not depend on being able to store cookies. Use cookies for nice-to-have features; do not use them to support critical features. C#: private void Function(….) { // If the browser supports cookies if(Request.Browser.Cookies) { // Create a cookie HttpCookie myCookie = new HttpCookie(“MyCookie”); cookie.Value = “This is value of my cookie”; // Add the cookie Response.Cookies.Add(myCookie); }

Creating Cookie Steps to store a cookie: 1. Check whether the client supports cookies by using the Browser object’s Cookies property. 2. If so, check whether the cookie already exists by using the Request object’s Cookies collection. 3. If not, create a new cookie object using the HttpCookie class. 4. Set the cookie object’s Value and Expiration properties. 5. Add the cookie object to Response object’s Cookies collection.

Code C# private void Page_Load(object sender, System.EventArgs e) { if(Request.Browser.Cookies) { if(Request.Cookies[“MyCookie”] == null) { HttpCookie myCookie = new HttpCookie(“MyCookie”); myCookie.Value = “This is my cookie value”; myCookie.Expires = DataTime.Now.AddDays(5); Response.Cookies.Add(myCookie); } else { HttpCookie myCookie = Request.Cookies[“MyCookie”]; myCookie.Value = “Set the value”; myCookie.Expires = DataTime.Now.AddDays(5); } else{ // SHOW MESSAGE; THE BROWSER DOES NOT ACCEPT COOKIES. (ALERT). }

Expiration?!!! If you do not set the cookie's expiration, the cookie is created but it is not stored on the user's hard disk. Instead, the cookie is maintained as part of the user's session information. When the user closes the browser or if the session times out, the cookie is discarded. A non-persistent cookie like this is handy for information that needs to be stored for only a short time or that for security reasons should not be written to disk on the client computer. For example, non-persistent cookies are useful if the user is working on a public computer, where you do not want to write the cookie to disk. So Expires property determines when the client’s machine can discard the cookie. Setting Expires to the DateTime.MaxValue means that the cookie never expires. Response.Cookies[“MyCookie”].Expires= DateTime.MaxValue ; Resetting the Expires property to the current time or the past time removes the cookies form client’s machine. Response.Cookies[“MyCookie”].Expires= DateTime.Now ;

Using Keys, Multi-Valued Cookies private void SetKeys(….) { HttpCookie cuky = new HttpCookie(“UserInfo”); cuky[“FirstName”] = firstname; cuky[“LastName”] = lastname; cuky[“Tel”]=tel; … cuky.Expires = DateTime.Now.AddDays(30); Response.Cookies.Add(cuky); } private void ReadKeys(…) { HttpCookie cuky = Request.Cookies[“UserInfo”]; firstname = cuky[“FirstName”]; lastname = cuky[“LastName”]; tel = cuky[“Tel”]; …. }

Storing User Information on the Server 1. Create a unique key to identify the user. 2. Save the unique key as a cookie on the user’s computer. 3. Create a file on the server to store user information. 4. Save the user information on the server using the unique key as an index. * System.Guid.NewGuid().ToString();

Security You should never store secrets in a cookie — no user names, no passwords, no credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie. Similarly, be suspicious of information you get out of a cookie. Do not assume that the data is the same as when you wrote it out. Limit the scope of cookies to a folder on the server, which in practical terms allows you to limit cookies to an application on the site. Response.Cookies[“domain1”].Path = “/Application1”; Set scope to a domain, which allows you to specify which subdomains in a domain can access a cookie. Response.Cookies[“domain1”].Domain = “hadi.arbabi.com“; Set appropriate expiration date and time for cookies.

Security You can set a cookie property that causes the cookie to be transmitted only if the connection uses the Secure Sockets Layer (SSL, >> If(myCookie.Secure){ …. } If you do want to store sensitive information such as a user ID in a cookie, you can encrypt the cookie. Use HTTP-only Cookies. NOTE: To mitigate the risk of information disclosure with a cross-site scripting attack, a new attribute is introduced to cookies for Internet Explorer 6SP1. This attribute specifies that a cookie is not accessible through script. By using HTTP-only cookies, a Web site eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script. If a Web site sets an HTTP-only cookie on a browser that does not support HTTP-only cookies, the cookie is either ignored or downgraded to a traditional, scriptable cookies.

References Book Developing WEB APPLICATIONS with Microsoft Visual C#.NET Published by Microsoft Press (MCAD/MCSD) Web Libraries Microsoft Developer Network -HttpCookies -Cookies in.NET -State Management in ASP.NET