HTTP Cookies

Transcript

1. HTTP Cookies

2. A cookie, also known as an HTTP cookie, web cookie,

   or browser cookie, is a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website.

3. When the user browses the same website in the future,

   the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.

4. Cookies were designed to be a reliable mechanism for websites

   to remember the state of the website or activity the user had taken in the past.

5. This can include clicking particular buttons, logging in, or a

   record of which pages were visited by the user even months or years ago.

6. Although cookies cannot carry viruses, and cannot install malware on

   the host computer, tracking cookies and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals' browsing histories — a major privacy concern that prompted European and US law makers to take action in 2011.

7. Cookies can also store passwords and forms you filled in,

   such as credit card numbers or your address. When a user accesses a Web site with a cookie function for the first time, a cookie is sent from server to the browser and stored with the browser in the local computer. Later when that user goes back to the same website, the website will recognize him because of the stored cookie with his information.

8. Other kinds of cookies perform essential functions in the modern

   Web. Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in under.

9. Without such a mechanism, the site would not know whether

   to send a page containing sensitive information, or require the user to authenticate himself by logging in.

10. The security of an authentication cookie generally depends on the

    security of the issuing website and the user's web browser, and on whether the cookie data is encrypted.

11. Security vulnerabilities may allow a cookie's data to be read

    by a hacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the cookie belongs.

12. A user's session cookie (also known as an in-memory cookie

    or transient cookie) for a website exists in temporary memory only while the user is reading and navigating the website. When an expiry date or validity interval is not set at cookie creation time, a session cookie is created. Web browsers normally delete session cookies when the user closes the browser. Session Cookie

13. A persistent cookie will outlast user sessions. If a persistent

    cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason persistent cookies are also called tracking cookies. Persistent Cookie

14. A secure cookie has the secure attribute enabled and is

    only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping. Secure Cookie

15. The HttpOnly cookie is supported by most modern browsers. On

    a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS). This feature applies only to session-management cookies, and not other browser cookies. HttpOnly Cookie

16. First-party cookies are cookies set with the same domain (or

    its subdomain) as your browser's address bar. Third-party cookies are cookies set with domains different from the one shown on the address bar. The web pages on the first domain may feature content from a third-party domain, e.g. a banner advert run by www.advexample.com. Privacy setting options in most modern browsers allow you to block third-party tracking cookies. Third-party Cookie

17. A "supercookie" is a cookie with an origin of a

    Top-Level Domain (TLD) or an effective Top-Level Domain. Some domains that are considered, "Top-Level" may in fact be a secondary or lower-level domain. For example, .co.uk or k12.ca.us are considered Top-Level even though they are multiple levels deep. These domains are referred to as Public Suffixes and are not open for reservation by end-users. SuperCookie

18. Some cookies are automatically recreated after a user has deleted

    them; these are called zombie cookies. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie's absence is detected. Zombie Cookie

19. A cookie contains no more than 255 characters and cannot

    take up more than 4K of Disk Space, which consists of six parameters : 1. Name of the cookie 2. Value of the cookie 3. The expiration of the cookie(using Greenwich Mean Time) 4. The path the cookie is good for 5. The domain the cookie is good for 6. The need for a secure connection to use the cookie Only the first two parameters are required for the successful operation of the cookie. Structure