3. PRESENTATION OUTLINE
INTRODUCTION – Definition, Types, Purpose, Syntax & Semantics of Cookies
COOKIE TECHNOLOGY – Components, Working Principle & Storage Model
COOKIE: PRIVACY CONSIDERATIONS
COOKIE: SECURITY CONSIDERATIONS
COOKIE AUTHENTICATION GUIDELINES
4. INTRODUCTION
A “cookie” is a small piece of information sent by a web server to store
on a web browser so it can later be read back from that browser. This is
useful for having the browser remember some specific information.
Cookies were designed to be a reliable mechanism for websites to
remember the state of the website or activity the user had taken in the
past
Although cookies cannot carry viruses, and cannot install malware on
the host computer, tracking cookies and especially third-party tracking
cookies are commonly used as ways to compile long-term records of
individuals’ browsing histories – Privacy Concern
5. PURPOSE OF COOKIES
Cookies make the interaction between users and web sites faster and easier
Web sites often use cookies of the purpose of collecting demographic information
about their users.
Cookies enable web sites to monitor their users’ web surfing habits and profile
them for marketing purposes
With the increasing commercial applications of the Internet, it was probably
inevitable that cookies would quickly be utilized for advertising purposes.
Since cookies can be matched to the profile of a user’s interests and browsing
habits, they are a natural tool for the “targeting” of advertisements to individual
users.
6. TYPES OF COOKIES
Session or Transient cookies
Cookies that are stored in the computer’s memory only during a user’s
browsing session and are automatically deleted form the user’s computer
when the browser is closed.
Permanent, Persistent or Stored cookies
Permanent cookies can be used to identify individual users, so they may
be used by web sites to analyze users’ surfing behavior within the web
site. They are usually configured to keep track of users for a prolonged
period of time, in some cases many years into the future.
7. SYNTAX & SEMANTICS OF
COOKIES
1. Cookie Name
◦ public String getName();
◦ public void setName(String name);
2. Cookie Value
◦ public String getValue();
◦ public void setValue(String value);
3. Cookie Version
◦ public String getVersion();
◦ pulic void setVersion(String domain);
4. Cookie Age
◦ public in getMaxAge();
◦ public void setMaxAge(int lifetime);
8. EXAMPLE- SYNTAX &
SEMANTICS (Java)
Creating a Cookie
Step 1: Create a Cookie instance by calling the
Constructor
Cookie cookie = new Cookie()
Step 2: Set the name and value of the Cookie
cookie.setName(“ID”);
cookie.setValue(5);
(Both step can be done directly using Cookie
cookie = new Cookie(“ID”,5)
Step 3: Set and maximum age and version of
Cookie
cookie.setMaxAge(2500);
cookie.setVersion(1);
Step 4: Finally add the cookie object to the
response object
Response.addCookie(cookie);
9. COOKIE COMPONENTS
HTTP is stateless. But, if an website wants to keep track the
identity of its user, then HTTP uses cookie for this purpose.
Cookie technology has following four components
o A cookie header line in the HTTP response message
o A cookie header line in the HTTP request message
o A cookie file kept in the user’s end system & managed by the user’s
browser
o A back-end database at the website
10. WORKING PRINCIPLE:USER-SERVER
INTERACTION
Suppose Susan, who always accesses the Web using Internet Explorer
from her home PC, contacts amazon.com for the first time.
Let us suppose that in the past she has already visited the eBay site –
ebay.com.
When the HTTP request comes in the Amazon’s web server, it creates
◦ unique Identification number
◦ entry in backend database that is indexed by the Identification number
for Susan
12. WORKING PRINCIPLE CONTD…
WHAT COOKIES CAN BRING
Authorization
Shopping carts
Recommendations
User session state (Web e-mail)
HOW TO KEEP STATE
Protocol endpoints: maintain
state at sender/receiver over
multiple transactions
Cookies: http messages carry
state
13. PRIVACY CONSIDERATIONS
Third party cookies
if a user visits a site that contains content from a third party and then later visits
another site that contains content from the same third party, the third party can track
the user between the two sites
User controls
User agents SHOULD provide users with a mechanism for managing the cookies stored
in the cookie store
Expiration dates
Although servers can set the expiration date for cookies to the distant future, most
user agents do not actually retain cookies for multiple decades
15. COOKIE AUTHENTICATION
GUIDELINES
Use SSL for username/password authentication
Do not store plain text or weakly encrypted password in a cookie
The cookie should not be re-used or re-used easily by another person
Password or other confidential info should not be able to be extracted from
the cookie
Cookie authentication credential should NOT be valid for an over extended
length of times
Set up “booby trapped” session tokens that never actually get assigned but will
detect if an attacker is trying to brute force a range of tokens.
16. COOKIE AUTHENTICATION GUIDELINES
CONTD…
(Whenever possible) Tie cookie authentication to an IP address (part or all
of the IP address)
Adding “salt” to your cookie (e.g. hashed http header of a particular
browser, MAC address)
Re-authenticate whenever critical decisions are made
Over write tokens upon logout.
Consider using server side cache to store session information, only retain
an index to the cache on the client side (also use ‘booby trapped’ indices)