1. • Cookies are small text files that are placed on your computer or mobile phone when you browse
websites.
• The attacker gets a cookie from a web page and sends a link to the victim to login using the very
same cookie. If the cookie is not changed when a user logs in, this could be useful because the attacker
could be able to impersonate the user through a cookie.
Advantage of Cookies:
• Make our website work as you’d expect
• Remember your settings during and between visits
• Offer you free services/content (thanks to advertising)
• Improve the speed/security of the site
• Continuously improve our website for you
• Make our marketing more efficient (ultimately helping us to offer the service we do at the price we do)
2. • Since the data in cookies doesn't change, cookies themselves aren't harmful. They can't infect
computers with viruses or other malware. However, some cyberattacks can hijack cookies and
enable access to your browsing sessions.
• A cookie typically contains two bits of data: a unique ID for each user, and a site name.
• Cookies were originally designed for server-side programming, and at the lowest level, they are
implemented as an extension to the HTTP protocol.
Disadvantage of Cookies:
• Collect any personally identifiable information (without your express permission)
• Collect any sensitive information (without your express permission)
• Pass personally identifiable data to third parties
• Pay sales commissions
3. Session Ids
• A session ID is a unique identification number that is generated by a website's server. Session IDs are
assigned to site users when they visit a site for the first time.
• The session ID can be stored as a cookie, form field, or URL (Uniform Resource Locator). Some Web
servers generate session IDs by simply incrementing static numbers.
• The session ID is normally generated on the server.
• Website operators can also use these identification numbers to track how site visitors use their
websites within a defined period of time (session).
• The session ID is generated using the Random Number Generator (RNG) cryptographic provider.
The service provider returns a sequence of 15 randomly generated numbers (15 bytes x 8 bit = 120
bits). The array of random numbers is then mapped to valid URL characters and returned as a string.
• The Session ID string can be up to 255 characters long
• Cookies expire after the user specified lifetime.
• The session ends when the user closes the browser or logs out of the program. It can only store a
limited amount of data.
4. • Session hijacking: is a technique used by hackers to gain access to a target's computer or
online accounts. In a session hijacking attack, a hacker takes control of a user's browsing session
to gain access to their personal information and passwords.
5. Tokens:
• Tokens—or JWTs in this context—are stateless in nature, meaning the server doesn’t need to keep a record
of the token. Each token is self-contained, holding the information needed for verification and
identification on the server.
Advantage of Tokens:
• Flexibility and ease of use: JWTs are easy to use. Their self-containing nature helps you achieve what you
need for verification without database lookups. This makes JWTs more suitable to use in an API, since the
API server doesn’t need to keep track of user sessions.
• Cross-platform capabilities: Because of their stateless nature, tokens can be seamlessly implemented on
mobile platforms and internet of things (IoT) applications, especially in comparison to cookies..
• Multiple storage options: Tokens can be stored in a number of ways in browsers or front-end applications.
6. JWT TOKEN
• JWTs are cryptographically signed and base64-encoded. They’re
only secure when they aren’t exposed, so they should be treated
like passwords.
• A JWT can be viewed but not manipulated on the client side. You
can take your token to jwt.io, choose the algorithm you used to
sign, and see the data. You just can’t tamper with it because it’s
issued on the server.
• The lifespan of a JWT should be kept short to limit the risk caused
by a leaked token.
8. • Cookies and tokens are two common ways of setting up authentication.
• Cookies are chunks of data created by the server and sent to the client for communication
purposes.
• Tokens, usually referring to JSON Web Tokens (JWTs), are signed credentials encoded into a long
string of characters created by the server.
• The main difference between cookies and tokens is their nature: tokens are stateless while cookies
are stateful.
• When to use cookies or tokens
• In general, the choice between a session cookie or a structured token will depend on your use case.
You should use cookies when you need to keep track of user interactions, such as with an e-
commerce application or website. You can use tokens when building API services or implementing
distributed systems.
9. • The main difference between the session and token authentication is that the authentication
details are stored on the server side in session authentication and on the user side in token
authentication. Token authentication is more secure than session authentication because a token
cannot be tampered with.
• Different types of tokens are used in different environments. The following token types are described on this page:
• Access tokens
• ID tokens
• Self-signed JWTs
• Refresh tokens
• Federated tokens
• Bearer tokens
10. • JWT is mainly used for APIs while OAuth can be used for web, browser, API, and various apps or
resources.
• JWT token vs oauth token: JWT defines a token format while OAuth deals in defining
authorization protocols.
• JWT is simple and easy to learn from the initial stage while OAuth is complex.
• OAuth uses both client-side and server-side storage while JWT must use only client-side storage.
• JWT has limited scope and use cases. OAuth is highly flexible and can be easily used in a wide
range of situations.
11. Cookie attributes:
• 1)Secure attribute
• 2)Http Only
• 3)Domain
• 4)Path
• 5)Expires
• 6)Same site
• 7)Strict value
• https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/06-Session_Management_Testing/02-
Testing_for_Cookies_Attributes
