Tuesday, July 1, 2014

Http Cookies Unsung Hero

Cookie is something which User Agent aka web browser get in terms of http header response. Once it receives cookies then web browser send this cookies as part of http header request to server. This cookies contains some user identifiers via which server can validate the requests and process it and send back the response. "Cookies contains user information hence it is kind of security violation. "
Cookies definition:
Http Header Response
HTTP/1.1 200 OK
Set-Cookie: firstname=santosh$lastname=Poojari ; domain=somewebsite.com; path=/
Set-Cookies: Name $ Value pair ; Domain ; Path
***Size of cookies- 4kb
Usually in asp.net we can store user identifier as GUID.
HTTP/1.1 200 OK
Set-Cookie: GUID=00a2000b7f6a4946a8adf593373e53347c;
domain=.msn.com; path=/
How Session and cookies work-
For the first time , server will set cookies with unique identifier say with GUID. When next time request is initiated, web browser sent this GUID to web server where web server will map this unique identifier with data structure and generate session object for logged in users. Say we have session object with Unique identifier then it will stored user details in session for given cookie user identifier. For subsequent requests server will get data from session rather than actual data structure.
Types of Cookies:
1. Cookie Less Session:
In this sites gives URL to users with unique identifier. This identifier is used to identify user details at web server end. This is also called Fat URL as url may grow in size due to this identifiers. This is generally used when cookies is disabled in web browsers.
2. Session Cookies-
User close the browser and cookies is lost.It is single user cookies. No expire attribute represents session cookies whereas one can explicitly add discard cookies in the header.
HTTP/1.1 200 OK
Set-Cookie: GUID=00a2000b7f6a4946a8adf593373e53347c;
domain=.msn.com; path=/ ; discard
HTTP/1.1 200 OK
Set-Cookie: GUID=00a2000b7f6a4946a8adf593373e53347c;
domain=.msn.com; path=/ ;
3. Persistent cookies-
This  cookies stored in file system and is alive even when client system reboots.

Set-Cookie: name=value; expires=Monday, 09-July-2018  GMT
 Combat Hijacking:-
1.       Choose unique identifier in encrypted format it can be GUID with Http only or asp.net session idenfier120 bits. Doing this we ensure hacker won’t be able to guess the user identifier
Set-Cookie: ASP.NET_SessionId=en5yl2yopwkdamv2ur5c3z45;
path=/; HttpOnly
By making HttpOnly , user agent scripting code aka JavaScript will not be able to read and write cookies.
2.       Additional security layer, specifying domain in set-Cookie will ensure communication requests and response w.r.t to domain. So there is no possibility of privacy bridge in case someone tries to read cookies from cross domain.  There is also path attribute in the set cookies, with this provision we can even ensure request is inline and specific to site path and resource only. Hence it helps better management and categorization of cookies.
Do’s And Don’t
1.       Never cache response header if cookies are set. As it cache will interfere with cookies. Design checklist. Best Practice w.r.t cookies.
2.       Cookies should never stores sensitive information. There are tools via which these cookies can be intercepted and can be used.
3.       Cookies are prone to XSS attack. Ensure HTTP only , domain and if path can be assigned to SET-Cookie
4.       There are greater chances of Third party cookies which can be set by third party URL. It may happen you send requests to www. Server2.com and this server will send the script  tag with embed URL (back links) to the User. Hence it is thus more vulnerable to third party cookies. Be precise to the request sends to the server. Need thorough security assessment and review.
Post a Comment