Introduction
Cookie is something which User Agent aka web browser get in terms
of http header response. Once it receives cookies then web browser send this cookies
as part of http header request to server. This cookies contains some user
identifiers via which server can validate the requests and process it and send
back the response. "Cookies contains user information hence it is kind of
security violation. "
Cookies definition:
Http Header Response
HTTP/1.1 200 OK
Set-Cookie: firstname=santosh$lastname=Poojari
; domain=somewebsite.com; path=/
***Symantics
Set-Cookies: Name $ Value pair
; Domain ; Path
***Size of cookies-
4kb
Usually in asp.net we can store user identifier as GUID.
HTTP/1.1 200 OK
Set-Cookie: GUID=00a2000b7f6a4946a8adf593373e53347c;
domain=.msn.com; path=/
How Session and
cookies work-
For the first time , server will set cookies with unique
identifier say with GUID. When next time request is initiated, web browser sent
this GUID to web server where web server will map this unique identifier with
data structure and generate session object for logged in users. Say we have
session object with Unique identifier then it will stored user details in
session for given cookie user identifier. For subsequent requests server will
get data from session rather than actual data structure.
Types of Cookies:
1. Cookie Less Session:
In
this sites gives URL to users with unique identifier. This identifier is used
to identify user details at web server end. This is also called Fat URL as url
may grow in size due to this identifiers. This is generally used when cookies
is disabled in web browsers.
2. Session Cookies-
User close the browser and cookies is lost.It is single user cookies. No expire
attribute represents session cookies whereas one can explicitly add discard
cookies in the header.
HTTP/1.1 200 OK
Set-Cookie: GUID=00a2000b7f6a4946a8adf593373e53347c;
domain=.msn.com; path=/ ; discard
OR
HTTP/1.1 200 OK
Set-Cookie: GUID=00a2000b7f6a4946a8adf593373e53347c;
domain=.msn.com; path=/ ;
3. Persistent cookies-
This cookies stored in file system and
is alive even when client system reboots.
Set-Cookie:
name=value; expires=Monday, 09-July-2018 GMT
1.
Choose unique identifier in encrypted format it
can be GUID with Http only or asp.net session idenfier120 bits. Doing this we
ensure hacker won’t be able to guess the user identifier
Set-Cookie:
ASP.NET_SessionId=en5yl2yopwkdamv2ur5c3z45;
path=/; HttpOnly
By making HttpOnly , user agent
scripting code aka JavaScript will not be able to read and write cookies.
2.
Additional security layer, specifying domain in
set-Cookie will ensure communication requests and response w.r.t to domain. So
there is no possibility of privacy bridge in case someone tries to read cookies
from cross domain. There is also path
attribute in the set cookies, with this provision we can even ensure request is
inline and specific to site path and resource only. Hence it helps better
management and categorization of cookies.
Do’s And Don’t
1.
Never cache response header if cookies are set.
As it cache will interfere with cookies. Design checklist. Best Practice w.r.t
cookies.
2.
Cookies should never stores sensitive
information. There are tools via which these cookies can be intercepted and can
be used.
3.
Cookies are prone to XSS attack. Ensure HTTP
only , domain and if path can be assigned to SET-Cookie
4.
There are greater chances of Third party cookies
which can be set by third party URL. It may happen you send requests to www. Server2.com
and this server will send the script tag
with embed URL (back links) to the User. Hence it is thus more vulnerable to
third party cookies. Be precise to the request sends to the server. Need
thorough security assessment and review.
No comments :
Post a Comment