Cookies Bill Chu. © Bei-Tseng Chu Aug 2000 Definition A cookie is a TEXT object of max 4KB sent from a web server to a browser It is intended for the.

Slides:

Advertisements

Similar presentations

CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.

Advertisements

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Unit 12 Using the Internet & Browsing the Web.  Understand the difference between the Internet and the World Wide Web  Identify items on a web page.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Servlets and a little bit of Web Services Russell Beale.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

Session Management A290/A590, Fall /25/2014.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

JavaScript, Fourth Edition

CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.

Chapter 8 Cookies And Security JavaScript, Third Edition.

XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 1 1 Browser Basics Introduction to the Web and Web Browser Software Tutorial.

PHP1-1 PHP Lecture 2 Xingquan (Hill) Zhu

Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.

Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.

10/20/2015 ©2006 Scott Miller, University of Victoria 1 User Authentication Content Generation The Use of Cookies Content Pooling Rev 1.5.

Cookies Web Browser and Server use HTTP protocol to communicate and HTTP is a stateless protocol. But for a commercial website it is required to maintain.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

PHP. $_GET / $_POST / $_SESSION PHP uses predefined variables to provide access to important information about the server and requests from a browser.

Web Database Programming Week 7 Session Management & Authentication.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

Copyright © 2003 Pearson Education, Inc. Slide 7-1 The Web Wizard’s Guide to PHP by David Lash.

ASP.Net, Web Forms and Web Controls 1 Outline Session Tracking Cookies Session Tracking with HttpSessionState.

Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.

ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7

Persistence Maintaining state using cookies and queries.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Internet Applications (Cont’d) Basic Internet Applications – World Wide Web (WWW) Browser Architecture Static Documents Dynamic Documents Active Documents.

1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.

SESSIONS 27/2/12 Lecture 8. ? Operator Similar to the if statement but returns a value derived from one of two expressions by a colon. Syntax: (expression)

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Web Technologies Lecture 6 State preservation. Motivation How to keep user data while navigating on a website? – Authenticate only once – Store wish list.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.

©SoftMooreSlide 1 Cookies. ©SoftMooreSlide 2 Cookies Basic idea –web application sends a simple name/value pair to the client –when the client connects.

1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

8-Mar-16 More About Servlets Session Tracking. Persistent information A server site typically needs to maintain two kinds of persistent (remembered) information:

Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.

Fundamentals of Web DevelopmentRandy Connolly and Ricardo HoarFundamentals of Web DevelopmentRandy Connolly and Ricardo Hoar Fundamentals of Web DevelopmentRandy.

Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.

Cookies Tutorial Cavisson Systems Inc..

Unit 12 Using the Internet & Browsing the Web

ITM 352 Cookies.

Client / Session Identification Cookies

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Web Systems Development (CSC-215)

Client / Session Identification Cookies

WJEC GCSE Computer Science

Presentation transcript:

Cookies Bill Chu

© Bei-Tseng Chu Aug 2000 Definition A cookie is a TEXT object of max 4KB sent from a web server to a browser It is intended for the server to maintain session information on top of the basic http protocol It can be used for Remember longin and passwords, e.g. Yahoo mail Keep track of items in an online shopping cart Maintain a user profile, e.g. interested news categories

© Bei-Tseng Chu Aug 2000 Operation A cookie is always created by the server, typically a program e.g. CGI script or servelet It is “pushed” from the server to the browser When the browser connects back to the server, the server can retrieve all its cookies from the browser

© Bei-Tseng Chu Aug 2000 Elements of a cookies Comment Domain A server can only read cookies that are set by a server of the same domain. (servers for bali.vacation.com and mexico.vacation.com can both read cookies set for vacation.com, but not for cookies set for travel.com) Age Life time limit of the cookies If the again is negative, then the cookies is only good as long as the browser is active. When the browser is closed, such cookies are destroyed A cookie of again greater than one will be saved to the disk by the browser

© Bei-Tseng Chu Aug 2000 Elements of a cookie (continued) Name Value The name and value pair contains information that is most relevant for applications using cookies Path Similar to domain, path limits the visibility of cookies based on the URL path. For example cookies sent by is visible to but not to

© Bei-Tseng Chu Aug 2000 Elements of a cookie (cont) Secure Whether to send cookies only in encrypted connections

© Bei-Tseng Chu Aug 2000 Digital foot print with cookies 1. User visits portal.com and clicks on a banner ad, shoe.com, hosted by advts.com 2. advts.com pushes a cookies to the browser: portal.com::shoe.com, it then directs the user to shoe.com, passing that path information to shoe.com 3. User visits a banner ad on shoe.com, vacation.com, also hosted by advts.com 4. advts.com reads cookies from the browser, updates the cookie to: portal.com::shoe.com::vacation.com, it then directs the user to vacation.com, passing that path information to vacation.com. 5. User visits a banner ad on vacation.com, skii.com, also hosted by advts.com 6. advts.com reads cookies from the browser, updates the cookie to: portal.com::shoe.com::vacation.com::skii.com, it then directs the user to skii.com, passing that path information to skii.com.

© Bei-Tseng Chu Aug 2000 Possible acts of privacy violation advts.com could attach a unique number to each digital foot print it tracks Supposed our user bought a pair of shoes from shoe.com, suppose the id associated with this digital foot print is When vacation.com gets the info from advts.com that our user has just visited shoe.com, vacation.com could contact shoe.com and ask what did browser session 1234 buy? If our user has bought a pair of hiking shoes, then vacation.com can high light vacation packages for the mountains.

© Bei-Tseng Chu Aug 2000 Possible Security Risks for cookies Cookie poisoning: Cookie information has been modified by malicious users E.g. e-shoplifting, e-identity theft

© Bei-Tseng Chu Aug 2000 Cookie authentication guidelines Use SSL for username/password authentication Do not store plain text or weakly encrypted password in a cookie The cookie should not be re-used or re-used easily by another person Password or other confidential info should not be able to be extracted from the cookie Cookie authentication credential should NOT be valid for an over extended length of times Set up “booby trapped” session tokens that never actually get assigned but will detect if an attacker is trying to brute force a range of tokens. (Whenever possible) Tie cookie authentication to an IP address (part or all of the IP address) Adding “salt” to your cookie (e.g. hashed http header of a particular browser, MAC address) Re-authenticate whenever critical decisions are made Over write tokens upon logout. Consider using server side cache to store session information, only retain an index to the cache on the client side (also use ‘booby trapped’ indices)