[London's Calling 2024] Demystifying Cookies: a much easier topic than you think

Transcript

1. #LDNsCall #LC24 Fabien Taillon Partner & CTO at Texeï Salesforce

   MVP Hall of Fame @FabienTaillon Demystifying Cookies: a much easier topic than you think

2. Who am I Fabien Taillon - Salesforce MVP - Hall

   of Fame - CTO at Texeï - Paris Developer Group leader - French Touch Dreamin team @FabienTaillon https://texei.com/blog

3. Cookies ?

4. Cookies ? SameSite HttpOnly Third Party XSS Enhanced Domains cookies

5. Cookies ? SameSite HttpOnly Third Party XSS Enhanced Domains cookies

6. Help deliver a more personalized experience • Settings • Shopping

   Cart • Session Id • … Why cookies ?

7. Basically a list of key - value pair stored per

   domain, and send back to the server at every request What are cookies ?

8. Basically a list of key - value pair stored per

   domain, and send back to the server at every request What are cookies ? Cookie name Cookie value Domain my-cookie-name my-cookie-value mysite.com my-cookie-name my-cookie-value myothersite.com is-dark-mode yes mysite.com session-id 439874HF98743297N mysite.com

9. A simple example mysite.com

10. A simple example mysite.com Until user is connected, no way

    to store personalized information on the server Each request will return the same page, “forgetting” what user selected

11. A simple example mysite.com DARK DARK LIGHT LIGHT DARK

12. A simple example

13. A simple example

14. Session handling login Set-Cookie: session-id=4432FED53434F /my-connected-page cookie: session-id=4432FED53434F content

15. Request without session cookie https://texei.lightning.force.com/lightning/page/home

16. Request with session cookie https://texei.lightning.force.com/lightning/page/home session-id=4432FED53434F

17. Can you spot something ?

18. Same use case ? session-id=4432FED53434F is-dark-mode=YES

19. Same use case ? session-id=4432FED53434F is-dark-mode=YES Is it really needed

    to send it server side ? Is it really needed to access it from client side ?

20. Same use case ? session-id=4432FED53434F is-dark-mode=YES Is it really needed

    to send it server side ? Is it really needed to access it from client side ? Created in 1994 Official Specifications in 1997 Not designed with security and privacy in mind

21. Improvements

22. Secure Set-Cookie: session-id=12345; Secure Not sent if not over HTTPS.

23. HttpOnly Set-Cookie: session-id=12345; Secure; HttpOnly Forbids JavaScript from accessing the

    cookie. Reduces risks against Cross-Site Scripting (XSS) attacks → Basically via a security issue, bad library etc, insecure JavaScript ends up being executed by your domain, thus accessing its cookies

24. SameSite Set-Cookie: session-id=12345; Secure; HttpOnly; SameSite=Strict Controls whether or not

    a cookie is sent with cross-site requests. SameSite=Strict → cookie sent only for same-site requests SameSite=Lax → cookie is not sent on cross-site requests (ex: frame), but sent when navigating to the origin site from an external site SameSite=None → cookie is sent with both cross-site and same-site requests (Default changed to LAX in 2019) Reduces risks against Cross-Site Request Forgery (CSRF) attacks https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

25. SameSite my-crm.com/delete-data my-crm.com/confirmation my-crm.com/my-page Delete Button

26. SameSite my-evil-site.com my-crm.com/delete-data

27. 3rd-Party Cookies

28. Used to track user my-bike-shop.com my-travel-agency.com

29. Used to track user my-bike-shop.com my-travel-agency.com facebook.com

30. Used to track user my-bike-shop.com my-travel-agency.com facebook.com User XXXX my-bike-shop.com

    my-travel-agency.com

31. Used to track user whatever.com User XXXX my-bike-shop.com my-travel-agency.com whatever.com

32. GDPR, CCPA

33. GDPR, CCPA

34. Chrome third-party cookies phaseout

35. Chrome third-party cookies phaseout Chrome Extension: Privacy Sandbox Analysis Tool

    https://chromewebstore.google.com/detail/privacy-sandbox-analysis/ehbnpceebmgpa nbbfckhoefhdibijkef chrome://flags/#test-third-party-cookie-phaseout

36. Chrome third-party cookies phaseout

37. CHIPS

38. CHIPS (Cookies Having Independent Partitioned State) my-bike-shop.com my-travel-agency.com facebook.com User

    XXXX my-bike-shop.com facebook.com User YYYY my-travel-agency.com

39. Enhanced Domains “With enhanced domains, all Salesforce content shares a

    common domain, so the cookies can be shared and the browsers allow access, even when third-party cookies are blocked”

40. Resources Chrome third-party cookie phaseout https://developers.google.com/privacy-sandbox/3pcd Privacy Sandbox Analysis Tool

    https://chromewebstore.google.com/detail/privacy-sandbox-analysis/ehbnpceebmgpa nbbfckhoefhdibijkef Third-Party Cookies in Marketing Cloud Engagement https://help.salesforce.com/s/articleView?language=en_US&id=sf.mc_ctc_partitioned _cookies.htm&type=5

41. #LDNsCall #LC24 Fabien Taillon Partner & CTO at Texeï Salesforce

    MVP Hall of Fame @FabienTaillon Q&A

42. #LDNsCall #LC24 Fabien Taillon Partner & CTO at Texeï Salesforce

    MVP Hall of Fame @FabienTaillon Thank You