[CzechDreamin 2024] Demystifying Cookies: a much easier topic than you think

Transcript

1. WELCOME!

2. SPEAKER Fabien Taillon Texeï Demystifying Cookies: a much easier topic

   than you think

3. Fabien Taillon Partner & CTO at Texeï Salesforce MVP -

   Hall of Fame Paris Developer Group leader French Touch Dreamin team https://x.com/FabienTaillon https://www.linkedin.com/in/fabientaillon https://trailblazer.me/id/fabien https://texei.com/blog

4. Why cookies ? What are cookies ? Agenda

5. COOKIES ?

6. cookies Cookies ? SameSite HttpOnly Third Party XSS Enhanced Domains

7. cookies Cookies ? SameSite HttpOnly Third Party XSS Enhanced Domains

8. Help deliver a more personalized experience • Settings • Shopping

   Cart • Session Id • … Why cookies ?

9. Basically a list of key - value pair stored per

   domain, and send back to the server at every request What are cookies ?

10. Basically a list of key - value pair stored per

    domain, and send back to the server at every request What are cookies ? Cookie name Cookie value Domain my-cookie-name my-cookie-value mysite.com my-cookie-name my-cookie-value myothersite.com is-dark-mode yes mysite.com session-id 439874HF98743297N mysite.com

11. A simple example mysite.com

12. A simple example mysite.com Until user is connected, no way

    to store personalized information on the server Each request will return the same page, “forgetting” what user selected

13. A simple example mysite.com DARK DARK LIGHT LIGHT DARK

14. A simple example

15. A simple example

16. Session handling login Set-Cookie: session-id=4432FED53434F /my-connected-page cookie: session-id=4432FED53434F content

17. Request without session cookie https://texei.lightning.force.com/lightning/page/home

18. Request with session cookie https://texei.lightning.force.com/lightning/page/home session-id=4432FED53434F

19. Can you spot something ?

20. Same use case ? session-id=4432FED53434F is-dark-mode=YES

21. Same use case ? session-id=4432FED53434F is-dark-mode=YES Is it really needed

    to send it server side ? Is it really needed to access it from client side ?

22. Same use case ? session-id=4432FED53434F is-dark-mode=YES Is it really needed

    to send it server side ? Is it really needed to access it from client side ? Created in 1994 Official Specifications in 1997 Not designed with security and privacy in mind

23. IMPROVEMENTS

24. Set-Cookie: session-id=12345; Secure Not sent if not over HTTPS. Secure

25. Set-Cookie: session-id=12345; Secure; HttpOnly Forbids JavaScript from accessing the cookie.

    Reduces risks against Cross-Site Scripting (XSS) attacks → Basically via a security issue, bad library etc, insecure JavaScript ends up being executed by your domain, thus accessing its cookies HttpOnly

26. Set-Cookie: session-id=12345; Secure; HttpOnly; SameSite=Strict Controls whether or not a

    cookie is sent with cross-site requests. SameSite=Strict → cookie sent only for same-site requests SameSite=Lax → cookie is not sent on cross-site requests (ex: frame), but sent when navigating to the origin site from an external site SameSite=None → cookie is sent with both cross-site and same-site requests (Default changed to LAX in 2019) Reduces risks against Cross-Site Request Forgery (CSRF) attacks https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value SameSite

27. SameSite my-evil-site.com my-crm.com/delete-data-without-user-confirm

28. 3rd-Party COOKIES

29. Used to track user my-bike-shop.com my-travel-agency.com

30. Used to track user my-bike-shop.com my-travel-agency.com facebook.com

31. Used to track user whatever.com

32. GDPR, CCPA…

33. GDPR, CCPA…

34. Chrome third-party cookie phaseout

35. “With enhanced domains, all Salesforce content shares a common domain,

    so the cookies can be shared and the browsers allow access, even when third-party cookies are blocked” Enhanced Domains https://help.salesforce.com/s/articleView?id=sf.domain_name_enhanced_why.htm&type=5

36. Chrome Extension: Privacy Sandbox Analysis Tool https://chromewebstore.google.com/detail/privacy-sandbox-analys is/ehbnpceebmgpanbbfckhoefhdibijkef chrome://flags/#test-third-party-cookie-phaseout Chrome

    third-party cookie phaseout

37. Chrome third-party cookie phaseout

38. Chrome third-party cookie phaseout https://developers.google.com/privacy-sandbox/3pcd Privacy Sandbox Analysis Tool https://chromewebstore.google.com/detail/privacy-sandbox-analys

    is/ehbnpceebmgpanbbfckhoefhdibijkef Third-Party Cookies in Marketing Cloud Engagement https://help.salesforce.com/s/articleView?language=en_US&id=sf.m c_ctc_partitioned_cookies.htm&type=5 Resources

39. THANK YOU!

40. Stateful information (shopping cart, session…) Avoid storing state server-side (remember

    Visualforce state ?) Third-party cookies for tracking Session cookie (expires when browser (tab ?) closed) Persistent cookie What about no expiration date ? Security: Intercept user session cookie ? Cross-site scripting (XSS) Cross-site request forgery (CSRF) Secure cookie: A cookie is made secure by adding the Secure flag to the cookie. New cookie type: Partitioned