Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
1 Client Identification and Cookies Herng-Yow Chen.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
CC3.12 Lecture 12 Erdal KOSE Based of Prof. Ziegler Lectures.
6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?
XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Servlets and a little bit of Web Services Russell Beale.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Computer Concepts 2014 Chapter 7 The Web and .
ITIS 1210 Introduction to Web-Based Information Systems Chapter 48 How Internet Sites Can Invade Your Privacy.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
IT533 Lectures Session Management in ASP.NET. Session Tracking 2 Personalization Personalization makes it possible for e-businesses to communicate effectively.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
Adapted from Computer Concepts, New Perspectives, Thompson Course Technology EDW 647: The Internet Dr. Roger Webster & Dr. Nazli Mollah 24 Cookies: What.
JavaScript, Fourth Edition
Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Chapter 8 Cookies And Security JavaScript, Third Edition.
12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
E-COMMERCE JOBS This project (Project number: HU/01/B/F/PP ) is carried out with the financial support of the Commssion of the European Communities.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
Protecting Students on the School Computer Network Enfield High School.
ITEC 1001 Tutorial 1 Browser and Basics. Web browser software & Web pages The Web is a collection of files that reside on computers, called Web.
Module 11: Securing a Microsoft ASP.NET Web Application.
Web Database Programming Week 7 Session Management & Authentication.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
1-1 HTTP request message GET /somedir/page.html HTTP/1.1 Host: User-agent: Mozilla/4.0 Connection: close Accept-language:fr request.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
© 2010 Computer Science Faculty, Kabul University HTTP CONTINUED… 4 TH LECTURE 2, May, 2010 Baseer Ahmad Baheer.
Cookies Bill Chu. © Bei-Tseng Chu Aug 2000 Definition A cookie is a TEXT object of max 4KB sent from a web server to a browser It is intended for the.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
Fundamentals of Web DevelopmentRandy Connolly and Ricardo HoarFundamentals of Web DevelopmentRandy Connolly and Ricardo Hoar Fundamentals of Web DevelopmentRandy.
SESSIONS 27/2/12 Lecture 8. ? Operator Similar to the if statement but returns a value derived from one of two expressions by a colon. Syntax: (expression)
ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
Some from Chapter 11.9 – “Web” 4 th edition and SY306 Web and Databases for Cyber Operations Cookies and.
Programming for the Web Cookies & Sessions Dónal Mulligan BSc MA
19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.
Chapter 8 Building the Transaction Database
Chapter 19 PHP Part III Credits: Parts of the slides are based on slides created by textbook authors, P.J. Deitel and H. M. Deitel by Prentice Hall ©
Networks Problem Set 1 Due Oct 3 Bonus Date Oct 2
Client / Session Identification Cookies
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Client / Session Identification Cookies
Web Programming Language
Presentation transcript:

Cookies COEN 351 E-commerce Security

Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies

Client / Session Identification: HTTP Header HTTP Header fields: “From” User’s address, request. Could be used by all browsers, but are only used for web-bots gathering data. “User-Agent” User’s browser software, request. “Referer” (Sic) Page user came from by following link

Client / Session Identification HTTP Header HTTP Header fields: “Authorization” User name and password “Client-ip” “X-Forwarded-For” Client-ip “Cookie”

Client / Session Identification User-Agent Gives the server information about the browser.

Client / Session Identification: HTTP Header All contents of the header / URL can be easily forged. Secure protocols need to use good encryption and a challenge / response scheme to avoid replay attacks.

Client / Session Identification Client IP Address Not part of the HTTP header Available from the package Easily spoofed Changed by NATs and Proxies Not secure for maintaining state

Client / Session Identification: HTTP Authentication HTTP login based on WWW-Authenticate and Authorization headers. 1. Browser requests page with GET 2. Server answers with: 401 Login Required, WWW-authenticate: Basic realm=“joe” 3. Browser pop’s up login dialog that users fills out. 4. Browser resends GET request, adds Authorization: Basic am98re45 5. Server fulfills request. 6. Browser now will resend stored user-name with every request.

Client / Session Identification: HTTP Authentication HTTP Authentication Details Realms allow the web-site to have many secure areas. HTTP packs user-name and password together, separated by a colon and encodes them in Base 64 encoding. HTTP allows authentication by proxies. User goes to proxy site for authentication. User-name and password are then used to go to the target sites.

Client / Session Identification: HTTP Authentication HTTP Authentication Security Risks Username and password are encoded, not encrypted. Base 64 encoding and decoding tools are freely available for those that do not want to program them themselves. Authentication information does not change between different requests. Sniffer can replay! Requesting unnecessary authentication leads to password sharing. Basic authentication only authenticates the browser (user), not the server. Impersonating websites could harvest passwords.

Client / Session Identification: Digest Authentication HTTP Digest Authentication A rarely used alternative that is more secure. Prevents replay attacks by using nonces. Encrypts passwords. Optionally protects message integrity. …

Client / Session Identification: Fat URL Fat URL Maintain state information in the URL Server generates a session id. Server adds session id to all URLs requested from the hyperlink.

Client / Session Identification: Fat URL URLs can be easily faked. FAT URLs need to be encrypted. Website needs to do more processing for fat URLs. Sharing URLs can lead to sharing authentication. Caching no longer works. Access is lost when user leaves the website temporarily.

Cookies Cookies: ASCI strings stored at the browser. Submitted with each request to a target website.

Cookies Cookies: Session cookies Stored only for the duration of a web-session. Persistent cookies Remain stored until they expire.

Cookies Cookie-Jar Client-side state storage Netscape / Firefox store cookies in a single text file called cookies.txt MS IE stores cookies in the cache.

Cookies Server specifies optional domain. Cookie gets sent with all requests to this domain. Server specifies optional expiration date Server can specify “secure” option: Cookie is only sent when using SSL.

Cookies Version 0 cookies (Netscape cookies) Set-Cookie: name=value [;expires=date] [;path=path] [;domain-name = value] [;secure] Set-Cookie: customer=Mary; expires Wednesday, 09- September :00:01 GMT; domain=“scu.edu”; path=/soe; secure

Cookies Version 1 cookies (RFC 296) Less-used Provides a number of extensions

Cookies Privacy risk Can be controlled by web-browser. Used to track consumer behavior. Harder, but possible to track an individual user.

Cookies Security Risk Users can change cookies before continuing to browse. Counter-measure: strong encryption Users could swap / steal cookies. E.g. when used for authentication Session Hijacking

Cookies Session Hijacking Counter measure: Server needs to send a new cookie after every change in state and verify that a request comes with a valid cookie. For example, by appending a MAC of session state to the cookie after each change of state.

Cookies Poor practices: Poor encryption of cookies. Web-based uses a cookie for authentication. Cookie contains the user name encrypted by XOR-ing with a secret string. Attacker can crack the cookie encryption by creating fake accounts. Attacker can now craft a cookie useful for authentication. Something similar happened to hotmail and yahoo early on.

Cookies Poor practices: Poor encryption of cookies. Shopping cart encoded in cookie. Cookie contained shopping cart details in plain text. Attacker changed prices of items. Relying on cookie for authentication Cookie is sniffed from the net. Cookie is stolen by impersonating a web-site.

Cookie Alternative: Web Bugs Used to track viewers of web-sites. HTML page contains a request to download a resource from a “counting” site. The resource is so small that the viewer does not notice the download. Counting site receives the request and adds IP address to its user database.

Cookie Alternative: Web Bugs Examples: Found by Privacy Foundation on Intuit’s home page for Quicken.com several years ago. <IMG WIDTH=1 HEIGHT=1 border=0 SRC=“ nOfSite_Any&db_acfr=4B31-C2FB- 10E2&event=reghome&group=register&time= ”>

Cookie Alternative: Web Bugs Can be embedded in any html code. User profiles written in html. messages. But only when read with a client that can display HTML messages and with a computer connected to the internet. Usenet messages.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.