Cookies: HTTP state management mechanism
Download as PPTX, PDF4 likes1,989 views
The document discusses cookies, which are small pieces of information sent from a web server and stored in a user's web browser. Cookies allow state to be maintained across HTTP requests. The document outlines that cookies have privacy and security considerations and provides guidelines for cookie authentication. It defines session and persistent cookies and describes how cookies work by explaining the interaction between a user's browser and a website server.
Cookies: HTTP state management mechanism
- 1. COOKIES HTTP STATE MANAGEMENT MECHANISM
- 2. OUR TEAM Bibek Subedi, 066 BCT 506 Dinesh Subedi, 066 BCT 512 Laxmi Kadariya, 066 BCT 518 Jivan Nepali, 066 BCT 517 June 19, 2013
- 3. PRESENTATION OUTLINE INTRODUCTION – Definition, Types, Purpose, Syntax & Semantics of Cookies COOKIE TECHNOLOGY – Components, Working Principle & Storage Model COOKIE: PRIVACY CONSIDERATIONS COOKIE: SECURITY CONSIDERATIONS COOKIE AUTHENTICATION GUIDELINES
- 4. INTRODUCTION A “cookie” is a small piece of information sent by a web server to store on a web browser so it can later be read back from that browser. This is useful for having the browser remember some specific information. Cookies were designed to be a reliable mechanism for websites to remember the state of the website or activity the user had taken in the past Although cookies cannot carry viruses, and cannot install malware on the host computer, tracking cookies and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals’ browsing histories – Privacy Concern
- 5. PURPOSE OF COOKIES Cookies make the interaction between users and web sites faster and easier Web sites often use cookies of the purpose of collecting demographic information about their users. Cookies enable web sites to monitor their users’ web surfing habits and profile them for marketing purposes With the increasing commercial applications of the Internet, it was probably inevitable that cookies would quickly be utilized for advertising purposes. Since cookies can be matched to the profile of a user’s interests and browsing habits, they are a natural tool for the “targeting” of advertisements to individual users.
- 6. TYPES OF COOKIES Session or Transient cookies Cookies that are stored in the computer’s memory only during a user’s browsing session and are automatically deleted form the user’s computer when the browser is closed. Permanent, Persistent or Stored cookies Permanent cookies can be used to identify individual users, so they may be used by web sites to analyze users’ surfing behavior within the web site. They are usually configured to keep track of users for a prolonged period of time, in some cases many years into the future.
- 7. SYNTAX & SEMANTICS OF COOKIES 1. Cookie Name ◦ public String getName(); ◦ public void setName(String name); 2. Cookie Value ◦ public String getValue(); ◦ public void setValue(String value); 3. Cookie Version ◦ public String getVersion(); ◦ pulic void setVersion(String domain); 4. Cookie Age ◦ public in getMaxAge(); ◦ public void setMaxAge(int lifetime);
- 8. EXAMPLE- SYNTAX & SEMANTICS (Java) Creating a Cookie Step 1: Create a Cookie instance by calling the Constructor Cookie cookie = new Cookie() Step 2: Set the name and value of the Cookie cookie.setName(“ID”); cookie.setValue(5); (Both step can be done directly using Cookie cookie = new Cookie(“ID”,5) Step 3: Set and maximum age and version of Cookie cookie.setMaxAge(2500); cookie.setVersion(1); Step 4: Finally add the cookie object to the response object Response.addCookie(cookie);
- 9. COOKIE COMPONENTS HTTP is stateless. But, if an website wants to keep track the identity of its user, then HTTP uses cookie for this purpose. Cookie technology has following four components o A cookie header line in the HTTP response message o A cookie header line in the HTTP request message o A cookie file kept in the user’s end system & managed by the user’s browser o A back-end database at the website
- 10. WORKING PRINCIPLE:USER-SERVER INTERACTION Suppose Susan, who always accesses the Web using Internet Explorer from her home PC, contacts amazon.com for the first time. Let us suppose that in the past she has already visited the eBay site – ebay.com. When the HTTP request comes in the Amazon’s web server, it creates ◦ unique Identification number ◦ entry in backend database that is indexed by the Identification number for Susan
- 11. WORKING PRINCIPLE CONTD… Figure : Keeping user ‘state’ using cookies
- 12. WORKING PRINCIPLE CONTD… WHAT COOKIES CAN BRING Authorization Shopping carts Recommendations User session state (Web e-mail) HOW TO KEEP STATE Protocol endpoints: maintain state at sender/receiver over multiple transactions Cookies: http messages carry state
- 13. PRIVACY CONSIDERATIONS Third party cookies if a user visits a site that contains content from a third party and then later visits another site that contains content from the same third party, the third party can track the user between the two sites User controls User agents SHOULD provide users with a mechanism for managing the cookies stored in the cookie store Expiration dates Although servers can set the expiration date for cookies to the distant future, most user agents do not actually retain cookies for multiple decades
- 14. SECURITY CONSIDERATIONS Ambient authority Clear text Session identifier Weak confidentiality Weak integrity
- 15. COOKIE AUTHENTICATION GUIDELINES Use SSL for username/password authentication Do not store plain text or weakly encrypted password in a cookie The cookie should not be re-used or re-used easily by another person Password or other confidential info should not be able to be extracted from the cookie Cookie authentication credential should NOT be valid for an over extended length of times Set up “booby trapped” session tokens that never actually get assigned but will detect if an attacker is trying to brute force a range of tokens.
- 16. COOKIE AUTHENTICATION GUIDELINES CONTD… (Whenever possible) Tie cookie authentication to an IP address (part or all of the IP address) Adding “salt” to your cookie (e.g. hashed http header of a particular browser, MAC address) Re-authenticate whenever critical decisions are made Over write tokens upon logout. Consider using server side cache to store session information, only retain an index to the cache on the client side (also use ‘booby trapped’ indices)
- 17. Thank You! Questions & Answers Session