Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cookies Bill Chu. © Bei-Tseng Chu Aug 2000 Definition A cookie is a TEXT object of max 4KB sent from a web server to a browser It is intended for the.

Published byErnest Daniels Modified over 9 years ago

Similar presentations

Presentation on theme: "Cookies Bill Chu. © Bei-Tseng Chu Aug 2000 Definition A cookie is a TEXT object of max 4KB sent from a web server to a browser It is intended for the."— Presentation transcript:

1 Cookies Bill Chu

2 © Bei-Tseng Chu Aug 2000 Definition A cookie is a TEXT object of max 4KB sent from a web server to a browser It is intended for the server to maintain session information on top of the basic http protocol It can be used for Remember longin and passwords, e.g. Yahoo mail Keep track of items in an online shopping cart Maintain a user profile, e.g. interested news categories

3 © Bei-Tseng Chu Aug 2000 Operation A cookie is always created by the server, typically a program e.g. CGI script or servelet It is “pushed” from the server to the browser When the browser connects back to the server, the server can retrieve all its cookies from the browser

4 © Bei-Tseng Chu Aug 2000 Elements of a cookies Comment Domain A server can only read cookies that are set by a server of the same domain. (servers for bali.vacation.com and mexico.vacation.com can both read cookies set for vacation.com, but not for cookies set for travel.com) Age Life time limit of the cookies If the again is negative, then the cookies is only good as long as the browser is active. When the browser is closed, such cookies are destroyed A cookie of again greater than one will be saved to the disk by the browser

5 © Bei-Tseng Chu Aug 2000 Elements of a cookie (continued) Name Value The name and value pair contains information that is most relevant for applications using cookies Path Similar to domain, path limits the visibility of cookies based on the URL path. For example cookies sent by http://ecommerce.site.com/toys/special.htm is visible to http://ecommerce.site.com/toys/bikes/bg.htm but not to http://ecommerce.site.com/cds/classical.htm http://ecommerce.site.com/toys/special.htm http://ecommerce.site.com/toys/bikes/bg.htm

6 © Bei-Tseng Chu Aug 2000 Elements of a cookie (cont) Secure Whether to send cookies only in encrypted connections

7 © Bei-Tseng Chu Aug 2000 Digital foot print with cookies 1. User visits portal.com and clicks on a banner ad, shoe.com, hosted by advts.com 2. advts.com pushes a cookies to the browser: portal.com::shoe.com, it then directs the user to shoe.com, passing that path information to shoe.com 3. User visits a banner ad on shoe.com, vacation.com, also hosted by advts.com 4. advts.com reads cookies from the browser, updates the cookie to: portal.com::shoe.com::vacation.com, it then directs the user to vacation.com, passing that path information to vacation.com. 5. User visits a banner ad on vacation.com, skii.com, also hosted by advts.com 6. advts.com reads cookies from the browser, updates the cookie to: portal.com::shoe.com::vacation.com::skii.com, it then directs the user to skii.com, passing that path information to skii.com.

8 © Bei-Tseng Chu Aug 2000 Possible acts of privacy violation advts.com could attach a unique number to each digital foot print it tracks Supposed our user bought a pair of shoes from shoe.com, suppose the id associated with this digital foot print is 1234. When vacation.com gets the info from advts.com that our user has just visited shoe.com, vacation.com could contact shoe.com and ask what did browser session 1234 buy? If our user has bought a pair of hiking shoes, then vacation.com can high light vacation packages for the mountains.

9 © Bei-Tseng Chu Aug 2000 Possible Security Risks for cookies Cookie poisoning: Cookie information has been modified by malicious users E.g. e-shoplifting, e-identity theft

10 © Bei-Tseng Chu Aug 2000 Cookie authentication guidelines Use SSL for username/password authentication Do not store plain text or weakly encrypted password in a cookie The cookie should not be re-used or re-used easily by another person Password or other confidential info should not be able to be extracted from the cookie Cookie authentication credential should NOT be valid for an over extended length of times Set up “booby trapped” session tokens that never actually get assigned but will detect if an attacker is trying to brute force a range of tokens. (Whenever possible) Tie cookie authentication to an IP address (part or all of the IP address) Adding “salt” to your cookie (e.g. hashed http header of a particular browser, MAC address) Re-authenticate whenever critical decisions are made Over write tokens upon logout. Consider using server side cache to store session information, only retain an index to the cache on the client side (also use ‘booby trapped’ indices)

Download ppt "Cookies Bill Chu. © Bei-Tseng Chu Aug 2000 Definition A cookie is a TEXT object of max 4KB sent from a web server to a browser It is intended for the."

Similar presentations

CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.

CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.
UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.

Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
HTTP Cookies. CPSC 441 - Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.

HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Unit 12 Using the Internet & Browsing the Web.  Understand the difference between the Internet and the World Wide Web  Identify items on a web page.

Unit 12 Using the Internet & Browsing the Web.  Understand the difference between the Internet and the World Wide Web  Identify items on a web page.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Session Management A290/A590, Fall 2014 09/25/2014.

Session Management A290/A590, Fall /25/2014.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.

The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Similar presentations

Ads by Google