[CzechDreamin 2024] Demystifying Cookies: a much easier topic than you think

Slide 1

Slide 1 text

WELCOME!

Slide 2

Slide 2 text

SPEAKER Fabien Taillon Texeï Demystifying Cookies: a much easier topic than you think

Slide 3

Slide 3 text

Fabien Taillon Partner & CTO at Texeï Salesforce MVP - Hall of Fame Paris Developer Group leader French Touch Dreamin team https://x.com/FabienTaillon https://www.linkedin.com/in/fabientaillon https://trailblazer.me/id/fabien https://texei.com/blog

Slide 4

Slide 4 text

Why cookies ? What are cookies ? Agenda

Slide 5

Slide 5 text

COOKIES ?

Slide 6

Slide 6 text

cookies Cookies ? SameSite HttpOnly Third Party XSS Enhanced Domains

Slide 7

Slide 7 text

cookies Cookies ? SameSite HttpOnly Third Party XSS Enhanced Domains

Slide 8

Slide 8 text

Help deliver a more personalized experience ● Settings ● Shopping Cart ● Session Id ● … Why cookies ?

Slide 9

Slide 9 text

Basically a list of key - value pair stored per domain, and send back to the server at every request What are cookies ?

Slide 10

Slide 10 text

Basically a list of key - value pair stored per domain, and send back to the server at every request What are cookies ? Cookie name Cookie value Domain my-cookie-name my-cookie-value mysite.com my-cookie-name my-cookie-value myothersite.com is-dark-mode yes mysite.com session-id 439874HF98743297N mysite.com

Slide 11

Slide 11 text

A simple example mysite.com

Slide 12

Slide 12 text

A simple example mysite.com Until user is connected, no way to store personalized information on the server Each request will return the same page, “forgetting” what user selected

Slide 13

Slide 13 text

A simple example mysite.com DARK DARK LIGHT LIGHT DARK

Slide 14

Slide 14 text

A simple example

Slide 15

Slide 15 text

A simple example

Slide 16

Slide 16 text

Session handling login Set-Cookie: session-id=4432FED53434F /my-connected-page cookie: session-id=4432FED53434F content

Slide 17

Slide 17 text

Request without session cookie https://texei.lightning.force.com/lightning/page/home

Slide 18

Slide 18 text

Request with session cookie https://texei.lightning.force.com/lightning/page/home session-id=4432FED53434F

Slide 19

Slide 19 text

Can you spot something ?

Slide 20

Slide 20 text

Same use case ? session-id=4432FED53434F is-dark-mode=YES

Slide 21

Slide 21 text

Same use case ? session-id=4432FED53434F is-dark-mode=YES Is it really needed to send it server side ? Is it really needed to access it from client side ?

Slide 22

Slide 22 text

Same use case ? session-id=4432FED53434F is-dark-mode=YES Is it really needed to send it server side ? Is it really needed to access it from client side ? Created in 1994 Ofﬁcial Speciﬁcations in 1997 Not designed with security and privacy in mind

Slide 23

Slide 23 text

IMPROVEMENTS

Slide 24

Slide 24 text

Set-Cookie: session-id=12345; Secure Not sent if not over HTTPS. Secure

Slide 25

Slide 25 text

Set-Cookie: session-id=12345; Secure; HttpOnly Forbids JavaScript from accessing the cookie. Reduces risks against Cross-Site Scripting (XSS) attacks → Basically via a security issue, bad library etc, insecure JavaScript ends up being executed by your domain, thus accessing its cookies HttpOnly

Slide 26

Slide 26 text

Set-Cookie: session-id=12345; Secure; HttpOnly; SameSite=Strict Controls whether or not a cookie is sent with cross-site requests. SameSite=Strict → cookie sent only for same-site requests SameSite=Lax → cookie is not sent on cross-site requests (ex: frame), but sent when navigating to the origin site from an external site SameSite=None → cookie is sent with both cross-site and same-site requests (Default changed to LAX in 2019) Reduces risks against Cross-Site Request Forgery (CSRF) attacks https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value SameSite

Slide 27

Slide 27 text

SameSite my-evil-site.com my-crm.com/delete-data-without-user-confirm

Slide 28

Slide 28 text

3rd-Party COOKIES

Slide 29

Slide 29 text

Used to track user my-bike-shop.com my-travel-agency.com

Slide 30

Slide 30 text

Used to track user my-bike-shop.com my-travel-agency.com facebook.com

Slide 31

Slide 31 text

Used to track user whatever.com

Slide 32

Slide 32 text

GDPR, CCPA…

Slide 33

Slide 33 text

GDPR, CCPA…

Slide 34

Slide 34 text

Chrome third-party cookie phaseout

Slide 35

Slide 35 text

“With enhanced domains, all Salesforce content shares a common domain, so the cookies can be shared and the browsers allow access, even when third-party cookies are blocked” Enhanced Domains https://help.salesforce.com/s/articleView?id=sf.domain_name_enhanced_why.htm&type=5

Slide 36

Slide 36 text

Chrome Extension: Privacy Sandbox Analysis Tool https://chromewebstore.google.com/detail/privacy-sandbox-analys is/ehbnpceebmgpanbbfckhoefhdibijkef chrome://ﬂags/#test-third-party-cookie-phaseout Chrome third-party cookie phaseout

Slide 37

Slide 37 text

Chrome third-party cookie phaseout

Slide 38

Slide 38 text

Chrome third-party cookie phaseout https://developers.google.com/privacy-sandbox/3pcd Privacy Sandbox Analysis Tool https://chromewebstore.google.com/detail/privacy-sandbox-analys is/ehbnpceebmgpanbbfckhoefhdibijkef Third-Party Cookies in Marketing Cloud Engagement https://help.salesforce.com/s/articleView?language=en_US&id=sf.m c_ctc_partitioned_cookies.htm&type=5 Resources

Slide 39

Slide 39 text

THANK YOU!

Slide 40

Slide 40 text

Stateful information (shopping cart, session…) Avoid storing state server-side (remember Visualforce state ?) Third-party cookies for tracking Session cookie (expires when browser (tab ?) closed) Persistent cookie What about no expiration date ? Security: Intercept user session cookie ? Cross-site scripting (XSS) Cross-site request forgery (CSRF) Secure cookie: A cookie is made secure by adding the Secure flag to the cookie. New cookie type: Partitioned