0
COOKIES
HTTP STATE MANAGEMENT MECHANISM
OUR TEAM
Bibek Subedi, 066 BCT 506
Dinesh Subedi, 066 BCT 512 Laxmi Kadariya, 066 BCT 518
Jivan Nepali, 066 BCT 517
June 1...
PRESENTATION OUTLINE
 INTRODUCTION – Definition, Types, Purpose, Syntax & Semantics of Cookies
 COOKIE TECHNOLOGY – Comp...
INTRODUCTION
 A “cookie” is a small piece of information sent by a web server to store
on a web browser so it can later b...
PURPOSE OF COOKIES
 Cookies make the interaction between users and web sites faster and easier
 Web sites often use cook...
TYPES OF COOKIES
 Session or Transient cookies
Cookies that are stored in the computer’s memory only during a user’s
brow...
SYNTAX & SEMANTICS OF
COOKIES
1. Cookie Name
◦ public String getName();
◦ public void setName(String name);
2. Cookie Valu...
EXAMPLE- SYNTAX &
SEMANTICS (Java)
Creating a Cookie
Step 1: Create a Cookie instance by calling the
Constructor
Cookie co...
COOKIE COMPONENTS
 HTTP is stateless. But, if an website wants to keep track the
identity of its user, then HTTP uses coo...
WORKING PRINCIPLE:USER-SERVER
INTERACTION
 Suppose Susan, who always accesses the Web using Internet Explorer
from her ho...
WORKING PRINCIPLE CONTD…
Figure : Keeping user ‘state’
using cookies
WORKING PRINCIPLE CONTD…
WHAT COOKIES CAN BRING
 Authorization
 Shopping carts
 Recommendations
 User session state (W...
PRIVACY CONSIDERATIONS
 Third party cookies
if a user visits a site that contains content from a third party and then lat...
SECURITY CONSIDERATIONS
 Ambient authority
 Clear text
 Session identifier
 Weak confidentiality
 Weak integrity
COOKIE AUTHENTICATION
GUIDELINES
 Use SSL for username/password authentication
 Do not store plain text or weakly encryp...
COOKIE AUTHENTICATION GUIDELINES
CONTD…
(Whenever possible) Tie cookie authentication to an IP address (part or all
of th...
Thank
You!
Questions & Answers Session
Upcoming SlideShare
Loading in...5
×

Cookies: HTTP state management mechanism

776

Published on

Published in: Education, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
776
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
33
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Cookies: HTTP state management mechanism"

  1. 1. COOKIES HTTP STATE MANAGEMENT MECHANISM
  2. 2. OUR TEAM Bibek Subedi, 066 BCT 506 Dinesh Subedi, 066 BCT 512 Laxmi Kadariya, 066 BCT 518 Jivan Nepali, 066 BCT 517 June 19, 2013
  3. 3. PRESENTATION OUTLINE  INTRODUCTION – Definition, Types, Purpose, Syntax & Semantics of Cookies  COOKIE TECHNOLOGY – Components, Working Principle & Storage Model  COOKIE: PRIVACY CONSIDERATIONS  COOKIE: SECURITY CONSIDERATIONS  COOKIE AUTHENTICATION GUIDELINES
  4. 4. INTRODUCTION  A “cookie” is a small piece of information sent by a web server to store on a web browser so it can later be read back from that browser. This is useful for having the browser remember some specific information.  Cookies were designed to be a reliable mechanism for websites to remember the state of the website or activity the user had taken in the past  Although cookies cannot carry viruses, and cannot install malware on the host computer, tracking cookies and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals’ browsing histories – Privacy Concern
  5. 5. PURPOSE OF COOKIES  Cookies make the interaction between users and web sites faster and easier  Web sites often use cookies of the purpose of collecting demographic information about their users.  Cookies enable web sites to monitor their users’ web surfing habits and profile them for marketing purposes  With the increasing commercial applications of the Internet, it was probably inevitable that cookies would quickly be utilized for advertising purposes.  Since cookies can be matched to the profile of a user’s interests and browsing habits, they are a natural tool for the “targeting” of advertisements to individual users.
  6. 6. TYPES OF COOKIES  Session or Transient cookies Cookies that are stored in the computer’s memory only during a user’s browsing session and are automatically deleted form the user’s computer when the browser is closed.  Permanent, Persistent or Stored cookies Permanent cookies can be used to identify individual users, so they may be used by web sites to analyze users’ surfing behavior within the web site. They are usually configured to keep track of users for a prolonged period of time, in some cases many years into the future.
  7. 7. SYNTAX & SEMANTICS OF COOKIES 1. Cookie Name ◦ public String getName(); ◦ public void setName(String name); 2. Cookie Value ◦ public String getValue(); ◦ public void setValue(String value); 3. Cookie Version ◦ public String getVersion(); ◦ pulic void setVersion(String domain); 4. Cookie Age ◦ public in getMaxAge(); ◦ public void setMaxAge(int lifetime);
  8. 8. EXAMPLE- SYNTAX & SEMANTICS (Java) Creating a Cookie Step 1: Create a Cookie instance by calling the Constructor Cookie cookie = new Cookie() Step 2: Set the name and value of the Cookie cookie.setName(“ID”); cookie.setValue(5); (Both step can be done directly using Cookie cookie = new Cookie(“ID”,5) Step 3: Set and maximum age and version of Cookie cookie.setMaxAge(2500); cookie.setVersion(1); Step 4: Finally add the cookie object to the response object Response.addCookie(cookie);
  9. 9. COOKIE COMPONENTS  HTTP is stateless. But, if an website wants to keep track the identity of its user, then HTTP uses cookie for this purpose.  Cookie technology has following four components o A cookie header line in the HTTP response message o A cookie header line in the HTTP request message o A cookie file kept in the user’s end system & managed by the user’s browser o A back-end database at the website
  10. 10. WORKING PRINCIPLE:USER-SERVER INTERACTION  Suppose Susan, who always accesses the Web using Internet Explorer from her home PC, contacts amazon.com for the first time.  Let us suppose that in the past she has already visited the eBay site – ebay.com.  When the HTTP request comes in the Amazon’s web server, it creates ◦ unique Identification number ◦ entry in backend database that is indexed by the Identification number for Susan
  11. 11. WORKING PRINCIPLE CONTD… Figure : Keeping user ‘state’ using cookies
  12. 12. WORKING PRINCIPLE CONTD… WHAT COOKIES CAN BRING  Authorization  Shopping carts  Recommendations  User session state (Web e-mail) HOW TO KEEP STATE  Protocol endpoints: maintain state at sender/receiver over multiple transactions  Cookies: http messages carry state
  13. 13. PRIVACY CONSIDERATIONS  Third party cookies if a user visits a site that contains content from a third party and then later visits another site that contains content from the same third party, the third party can track the user between the two sites  User controls User agents SHOULD provide users with a mechanism for managing the cookies stored in the cookie store  Expiration dates Although servers can set the expiration date for cookies to the distant future, most user agents do not actually retain cookies for multiple decades
  14. 14. SECURITY CONSIDERATIONS  Ambient authority  Clear text  Session identifier  Weak confidentiality  Weak integrity
  15. 15. COOKIE AUTHENTICATION GUIDELINES  Use SSL for username/password authentication  Do not store plain text or weakly encrypted password in a cookie  The cookie should not be re-used or re-used easily by another person  Password or other confidential info should not be able to be extracted from the cookie  Cookie authentication credential should NOT be valid for an over extended length of times  Set up “booby trapped” session tokens that never actually get assigned but will detect if an attacker is trying to brute force a range of tokens.
  16. 16. COOKIE AUTHENTICATION GUIDELINES CONTD… (Whenever possible) Tie cookie authentication to an IP address (part or all of the IP address)  Adding “salt” to your cookie (e.g. hashed http header of a particular browser, MAC address)  Re-authenticate whenever critical decisions are made  Over write tokens upon logout.  Consider using server side cache to store session information, only retain an index to the cache on the client side (also use ‘booby trapped’ indices)
  17. 17. Thank You! Questions & Answers Session
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×