[London's Calling 2024] Demystifying Cookies: a much easier topic than you think

Slide 1

Slide 1 text

#LDNsCall #LC24 Fabien Taillon Partner & CTO at Texeï Salesforce MVP Hall of Fame @FabienTaillon Demystifying Cookies: a much easier topic than you think

Slide 2

Slide 2 text

Who am I Fabien Taillon - Salesforce MVP - Hall of Fame - CTO at Texeï - Paris Developer Group leader - French Touch Dreamin team @FabienTaillon https://texei.com/blog

Slide 3

Slide 3 text

Cookies ?

Slide 4

Slide 4 text

Cookies ? SameSite HttpOnly Third Party XSS Enhanced Domains cookies

Slide 5

Slide 5 text

Cookies ? SameSite HttpOnly Third Party XSS Enhanced Domains cookies

Slide 6

Slide 6 text

Help deliver a more personalized experience ● Settings ● Shopping Cart ● Session Id ● … Why cookies ?

Slide 7

Slide 7 text

Basically a list of key - value pair stored per domain, and send back to the server at every request What are cookies ?

Slide 8

Slide 8 text

Basically a list of key - value pair stored per domain, and send back to the server at every request What are cookies ? Cookie name Cookie value Domain my-cookie-name my-cookie-value mysite.com my-cookie-name my-cookie-value myothersite.com is-dark-mode yes mysite.com session-id 439874HF98743297N mysite.com

Slide 9

Slide 9 text

A simple example mysite.com

Slide 10

Slide 10 text

A simple example mysite.com Until user is connected, no way to store personalized information on the server Each request will return the same page, “forgetting” what user selected

Slide 11

Slide 11 text

A simple example mysite.com DARK DARK LIGHT LIGHT DARK

Slide 12

Slide 12 text

A simple example

Slide 13

Slide 13 text

A simple example

Slide 14

Slide 14 text

Session handling login Set-Cookie: session-id=4432FED53434F /my-connected-page cookie: session-id=4432FED53434F content

Slide 15

Slide 15 text

Request without session cookie https://texei.lightning.force.com/lightning/page/home

Slide 16

Slide 16 text

Request with session cookie https://texei.lightning.force.com/lightning/page/home session-id=4432FED53434F

Slide 17

Slide 17 text

Can you spot something ?

Slide 18

Slide 18 text

Same use case ? session-id=4432FED53434F is-dark-mode=YES

Slide 19

Slide 19 text

Same use case ? session-id=4432FED53434F is-dark-mode=YES Is it really needed to send it server side ? Is it really needed to access it from client side ?

Slide 20

Slide 20 text

Same use case ? session-id=4432FED53434F is-dark-mode=YES Is it really needed to send it server side ? Is it really needed to access it from client side ? Created in 1994 Ofﬁcial Speciﬁcations in 1997 Not designed with security and privacy in mind

Slide 21

Slide 21 text

Improvements

Slide 22

Slide 22 text

Secure Set-Cookie: session-id=12345; Secure Not sent if not over HTTPS.

Slide 23

Slide 23 text

HttpOnly Set-Cookie: session-id=12345; Secure; HttpOnly Forbids JavaScript from accessing the cookie. Reduces risks against Cross-Site Scripting (XSS) attacks → Basically via a security issue, bad library etc, insecure JavaScript ends up being executed by your domain, thus accessing its cookies

Slide 24

Slide 24 text

SameSite Set-Cookie: session-id=12345; Secure; HttpOnly; SameSite=Strict Controls whether or not a cookie is sent with cross-site requests. SameSite=Strict → cookie sent only for same-site requests SameSite=Lax → cookie is not sent on cross-site requests (ex: frame), but sent when navigating to the origin site from an external site SameSite=None → cookie is sent with both cross-site and same-site requests (Default changed to LAX in 2019) Reduces risks against Cross-Site Request Forgery (CSRF) attacks https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

Slide 25

Slide 25 text

SameSite my-crm.com/delete-data my-crm.com/confirmation my-crm.com/my-page Delete Button

Slide 26

Slide 26 text

SameSite my-evil-site.com my-crm.com/delete-data

Slide 27

Slide 27 text

3rd-Party Cookies

Slide 28

Slide 28 text

Used to track user my-bike-shop.com my-travel-agency.com

Slide 29

Slide 29 text

Used to track user my-bike-shop.com my-travel-agency.com facebook.com

Slide 30

Slide 30 text

Used to track user my-bike-shop.com my-travel-agency.com facebook.com User XXXX my-bike-shop.com my-travel-agency.com

Slide 31

Slide 31 text

Used to track user whatever.com User XXXX my-bike-shop.com my-travel-agency.com whatever.com

Slide 32

Slide 32 text

GDPR, CCPA

Slide 33

Slide 33 text

GDPR, CCPA

Slide 34

Slide 34 text

Chrome third-party cookies phaseout

Slide 35

Slide 35 text

Chrome third-party cookies phaseout Chrome Extension: Privacy Sandbox Analysis Tool https://chromewebstore.google.com/detail/privacy-sandbox-analysis/ehbnpceebmgpa nbbfckhoefhdibijkef chrome://flags/#test-third-party-cookie-phaseout

Slide 36

Slide 36 text

Chrome third-party cookies phaseout

Slide 37

Slide 37 text

CHIPS

Slide 38

Slide 38 text

CHIPS (Cookies Having Independent Partitioned State) my-bike-shop.com my-travel-agency.com facebook.com User XXXX my-bike-shop.com facebook.com User YYYY my-travel-agency.com

Slide 39

Slide 39 text

Enhanced Domains “With enhanced domains, all Salesforce content shares a common domain, so the cookies can be shared and the browsers allow access, even when third-party cookies are blocked”

Slide 40

Slide 40 text

Resources Chrome third-party cookie phaseout https://developers.google.com/privacy-sandbox/3pcd Privacy Sandbox Analysis Tool https://chromewebstore.google.com/detail/privacy-sandbox-analysis/ehbnpceebmgpa nbbfckhoefhdibijkef Third-Party Cookies in Marketing Cloud Engagement https://help.salesforce.com/s/articleView?language=en_US&id=sf.mc_ctc_partitioned _cookies.htm&type=5

Slide 41

Slide 41 text

#LDNsCall #LC24 Fabien Taillon Partner & CTO at Texeï Salesforce MVP Hall of Fame @FabienTaillon Q&A

Slide 42

Slide 42 text

#LDNsCall #LC24 Fabien Taillon Partner & CTO at Texeï Salesforce MVP Hall of Fame @FabienTaillon Thank You