Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, July 23, 2008

Butter- or HTTP- cookies?

Status codes
200 OK
301 Moved permanently
302 Found
403 Forbidden
404 Not Found

HTTP cookies, or more commonly referred to as Web cookies, tracking cookies or just cookies, are parcels of text sent by a server to a web client (usually a browser) and then sent back unchanged by the client each time it accesses that server. HTTP cookies are used for authenticating, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts. The term "cookie" is derived from "magic cookie," a well-known concept in UNIX computing which inspired both the idea and the name of HTTP cookies.
Cookies have been of concern for Internet privacy, since they can be used for tracking browsing behavior. As a result, they have been subject to legislation in various countries such as the United States, as well as the European Union. Cookies have also been criticized because the identification of users they provide is not always accurate and because they could potentially be a target of network attackers. Some alternatives to cookies exist, but each has its own uses, advantages, and drawbacks.
Cookies are also subject to a number of misconceptions, mostly based on the erroneous notion that they are computer programs. In fact, cookies are simple pieces of data unable to perform any operation by themselves. In particular, they are neither spyware nor viruses, despite the detection of cookies from certain sites by many anti-spyware products.
Most modern browsers allow users to decide whether to accept cookies, but rejection makes some websites unusable. For example, shopping carts implemented using cookies do not work if cookies are rejected.

Realization

A possible interaction between a Web browser and a server holding a Web page, in which the server sends a cookie to the browser and the browser sends it back when requesting another page.
(Double click on image for a bigger view)
A possible interaction between a Web browser and a server holding a Web page, in which the server sends a cookie to the browser and the browser sends it back when requesting another page.

Technically, cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. By returning a cookie to a web server, the browser provides the server a means of connecting the current page view with prior page views. Other than being set by a web server, cookies can also be set by a script in a language such as JavaScript, if supported and enabled by the Web browser.
Cookie specifications suggest that browsers should support a minimal number of cookies or amount of memory for storing them. In particular, an internet browser is expected to be able to store at least 300 cookies of four kilobytes each, and at least 20 cookies per server or domain.
Relevant count of maximum stored cookies per domain for the major browsers are:

  • Firefox 1.5: 50
  • Firefox 2.0: 50
  • Opera 9: 30
  • Internet Explorer 6: 20 (raised to 50 in update on 14 August 2007)
  • Internet Explorer 7: 20 (raised to 50 in update on 14 August 2007)

In practice cookies must be smaller than 4 kilobytes. Internet Explorer imposes a 4KB total for all cookies stored in a given domain.
Cookie names are case insensitive according to section 3.1 of RFC 2965
The cookie setter can specify a deletion date, in which case the cookie will be removed on that date. If the cookie setter does not specify a date, the cookie is removed once the user quits his or her browser. As a result, specifying a date is a way for making a cookie survive across sessions. For this reason, cookies with an expiration date are called persistent. As an example application, a shopping site can use persistent cookies to store the items users have placed in their basket. This way, if users quit their browser without making a purchase and return later, they still find the same items in the basket so they do not have to look for these items again. If these cookies were not given an expiration date, they would expire when the browser is closed, and the information about the basket content would be lost.
Cookies can also be limited in scope to a specific domain, subdomain or path on the web server which created them. However Phorm has attracted considerable attention in the United Kingdom over its plans to intercept cookies at ISP-level and substitute them with a cookie that allows the company to track users' online activities across all websites visited.

A cookie can be stolen by another computer that is allowed reading from the network
A cookie can be stolen by another computer that is allowed reading from the network

Cross-site scripting: a cookie that should be only exchanged between a server and a client is sent to another party.
Cross-site scripting: a cookie that should be only exchanged between a server and a client is sent to another party.

Cookie poisoning: an attacker sends a server an invalid cookie, possibly modifying a valid cookie it previously received from the server.
Cookie poisoning: an attacker sends a server an invalid cookie, possibly modifying a valid cookie it previously received from the server.

In cross-site cooking, the attacker exploits a browser bug to send an invalid cookie to a server.
In cross-site cooking, the attacker exploits a browser bug to send an invalid cookie to a server.

No comments: