1. COOKIES
HTTP STATE MANAGEMENT MECHANISM

2. OUR TEAM
Bibek Subedi, 066 BCT 506
Dinesh Subedi, 066 BCT 512 Laxmi Kadariya, 066 BCT 518
Jivan Nepali, 066 BCT 517
June 19, 2013

3. PRESENTATION OUTLINE
 INTRODUCTION – Definition, Types, Purpose, Syntax & Semantics of Cookies
 COOKIE TECHNOLOGY – Components, Working Principle & Storage Model
 COOKIE: PRIVACY CONSIDERATIONS
 COOKIE: SECURITY CONSIDERATIONS
 COOKIE AUTHENTICATION GUIDELINES

4. INTRODUCTION
 A “cookie” is a small piece of information sent by a web server to store
on a web browser so it can later be read back from that browser. This is
useful for having the browser remember some specific information.
 Cookies were designed to be a reliable mechanism for websites to
remember the state of the website or activity the user had taken in the
past
 Although cookies cannot carry viruses, and cannot install malware on
the host computer, tracking cookies and especially third-party tracking
cookies are commonly used as ways to compile long-term records of
individuals’ browsing histories – Privacy Concern

5. PURPOSE OF COOKIES
 Cookies make the interaction between users and web sites faster and easier
 Web sites often use cookies of the purpose of collecting demographic information
about their users.
 Cookies enable web sites to monitor their users’ web surfing habits and profile
them for marketing purposes
 With the increasing commercial applications of the Internet, it was probably
inevitable that cookies would quickly be utilized for advertising purposes.
 Since cookies can be matched to the profile of a user’s interests and browsing
habits, they are a natural tool for the “targeting” of advertisements to individual
users.

6. TYPES OF COOKIES
 Session or Transient cookies
Cookies that are stored in the computer’s memory only during a user’s
browsing session and are automatically deleted form the user’s computer
when the browser is closed.
 Permanent, Persistent or Stored cookies
Permanent cookies can be used to identify individual users, so they may
be used by web sites to analyze users’ surfing behavior within the web
site. They are usually configured to keep track of users for a prolonged
period of time, in some cases many years into the future.

7. SYNTAX & SEMANTICS OF
COOKIES
1. Cookie Name
◦ public String getName();
◦ public void setName(String name);
2. Cookie Value
◦ public String getValue();
◦ public void setValue(String value);
3. Cookie Version
◦ public String getVersion();
◦ pulic void setVersion(String domain);
4. Cookie Age
◦ public in getMaxAge();
◦ public void setMaxAge(int lifetime);

8. EXAMPLE- SYNTAX &
SEMANTICS (Java)
Creating a Cookie
Step 1: Create a Cookie instance by calling the
Constructor
Cookie cookie = new Cookie()
Step 2: Set the name and value of the Cookie
cookie.setName(“ID”);
cookie.setValue(5);
(Both step can be done directly using Cookie
cookie = new Cookie(“ID”,5)
Step 3: Set and maximum age and version of
Cookie
cookie.setMaxAge(2500);
cookie.setVersion(1);
Step 4: Finally add the cookie object to the
response object
Response.addCookie(cookie);

9. COOKIE COMPONENTS
 HTTP is stateless. But, if an website wants to keep track the
identity of its user, then HTTP uses cookie for this purpose.
 Cookie technology has following four components
o A cookie header line in the HTTP response message
o A cookie header line in the HTTP request message
o A cookie file kept in the user’s end system & managed by the user’s
browser
o A back-end database at the website

10. WORKING PRINCIPLE:USER-SERVER
INTERACTION
 Suppose Susan, who always accesses the Web using Internet Explorer
from her home PC, contacts amazon.com for the first time.
 Let us suppose that in the past she has already visited the eBay site –
ebay.com.
 When the HTTP request comes in the Amazon’s web server, it creates
◦ unique Identification number
◦ entry in backend database that is indexed by the Identification number
for Susan

11. WORKING PRINCIPLE CONTD…
Figure : Keeping user ‘state’
using cookies

12. WORKING PRINCIPLE CONTD…
WHAT COOKIES CAN BRING
 Authorization
 Shopping carts
 Recommendations
 User session state (Web e-mail)
HOW TO KEEP STATE
 Protocol endpoints: maintain
state at sender/receiver over
multiple transactions
 Cookies: http messages carry
state

13. PRIVACY CONSIDERATIONS
 Third party cookies
if a user visits a site that contains content from a third party and then later visits
another site that contains content from the same third party, the third party can track
the user between the two sites
 User controls
User agents SHOULD provide users with a mechanism for managing the cookies stored
in the cookie store
 Expiration dates
Although servers can set the expiration date for cookies to the distant future, most
user agents do not actually retain cookies for multiple decades

14. SECURITY CONSIDERATIONS
 Ambient authority
 Clear text
 Session identifier
 Weak confidentiality
 Weak integrity

15. COOKIE AUTHENTICATION
GUIDELINES
 Use SSL for username/password authentication
 Do not store plain text or weakly encrypted password in a cookie
 The cookie should not be re-used or re-used easily by another person
 Password or other confidential info should not be able to be extracted from
the cookie
 Cookie authentication credential should NOT be valid for an over extended
length of times
 Set up “booby trapped” session tokens that never actually get assigned but will
detect if an attacker is trying to brute force a range of tokens.

16. COOKIE AUTHENTICATION GUIDELINES
CONTD…
(Whenever possible) Tie cookie authentication to an IP address (part or all
of the IP address)
 Adding “salt” to your cookie (e.g. hashed http header of a particular
browser, MAC address)
 Re-authenticate whenever critical decisions are made
 Over write tokens upon logout.
 Consider using server side cache to store session information, only retain
an index to the cache on the client side (also use ‘booby trapped’ indices)

17. Thank
You!
Questions & Answers Session