Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cross-Domain Cookies

22,323 views

Published on

Various approaches to handling cross-domain cookies, each with their pros and cons.

Published in: Software
  • Secrets to making $$$ with paid surveys... ■■■ http://ishbv.com/surveys6/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Like to know how to take easy surveys and get huge checks - then you need to visit us now! Having so many paid surveys available to you all the time let you live the kind of life you want. learn more... https://tinyurl.com/realmoneystreams2019
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Your opinions matter! get paid for them! click here for more info... http://ishbv.com/surveys6/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Cross-Domain Cookies

  1. 1. VICTOR. Developer Evangelist.
  2. 2. 37? ‘ The cokies that shouldn't be. a 0 I -" ’. 'I I -1‘ ,5 “II II H _ , , H , I‘n'| - r ‘xg. ~,_ — I1 I“. _l_I_
  3. 3. COOKIE HISTORY. - HTTP doesn't offer any way to keep state - So Netscape came up with cookies — in '94 - Its original purpose: to keep track of a visitor's shopping cart
  4. 4. USE CASES - Shopping carts - Preferences and personalisation - Analytics - Marketing
  5. 5. RESTRICT - Cookies are bound to a single domain and optionally, its subdomains - Cannot be bigger than 4kb, but that's a bad idea for a whole bunch of other reasons
  6. 6. ALTERNATIVES - IP address - ETags - Browser cache - Local and session storage (HTML 5) - Fingerprinting
  7. 7. ALTERNATIVES - Not reliable enough for unique identification - Not broadly supported - Do not respect users’ privacy settings - Still bound to a single domain
  8. 8. C CKING IT May contain traces of nuts.
  9. 9. PRERE UISITES A trusted channel between the domains, e. g. a shared server—side data store
  10. 10. PUSH Push it real good.
  11. 11. PUSH Use external resources (images) to push cookies to other domains.
  12. 12. PUSH. GET / HTTP/1.1 Host: a. tld Cookie: foo= bar Trusted Stores cookie "foo= bar" Storage using a temporary token
  13. 13. PUSH <img src= "// b.tld/ cookie. php? token= TOKEN" alt= "">
  14. 14. PUSH. GET / cookie. php? token= TOKEN HTTP/1.1 Host: b. tld Trusted Gets cookie "foo= bar" S’E0fag€ using the given token
  15. 15. PUSH GET / cookie. php? token= TOKEN HTTP/1.1 Host: b. tld HTTP/1.1200 OK Content—Type: image/ gif Set—Cookie: foo= bar; path= /
  16. 16. PUSH PROS - Cookies available on the first request to the other domain - If image request is optimized to be non- blocking, can be very lightweight
  17. 17. PUSH CONS - Treated as third party cookies - Different behaviour across browsers - Might need additional mechanisms in place, depending on the structure of the network - Performance issues for large number of domains - No way to know if cookie exists on other domain, so will be repeated for each request
  18. 18. JAVASCRIPT PULL Pull it real good?
  19. 19. JAVASCRIPT PULL Uses lavaScript to fetch a cookie from another domain.
  20. 20. JAVASCRIPT PULL. GET / HTTP/1.1 Host: a. tld Trusted Stores temporary cookie Sto rage request token
  21. 21. JAVASCRIPT PULL <script src= "// b.tld/ cookie. php? token= TOKEN"></ script>
  22. 22. JAVASCRIPT PULL. GET / cookie. php? token= TOKEN HTTP/1.1 Host: b. tld Cookie: foo= bar Trusted Verifies the given cookie Storage request token exists
  23. 23. JAVASCRIPT PULL GET / cookie. php? token= TOKEN HTTP/1.1 Host: b. tld Cookie: foo= bar HTTP/1.1200 OK Content—Type: application/ javascript document. cookie = "foo= bar";
  24. 24. JAVASCRIPT PULL PROS. - Treated as first party cookies - Allows for spoke—hub distribution, so scales well to large number of domains
  25. 25. JAVASCRIPT PULL CONS - Requires JavaScript - Cookies not available on the first request - Cannot set HttpOnly flag
  26. 26. JAVASCRIPT PULL THOUGHTS - Could also be implemented through AJAX - Would require Cross—Origin Resource Sharing headers to be implemented - Could serve as an alternative to shared storage - Doesn't work in older browsers
  27. 27. H'ITP PULL Let's get crazy. , , . ‘I': ‘“_, / 1"}; ,
  28. 28. HTTP PULL Uses HTTP redirects to fetch a cookie from another domain.
  29. 29. H'ITP PULL. GET / HTTP/1.1 Host: a. tld Trusted Stores request object with Storage current request URL using temporary token
  30. 30. HTTP PULL GET / HTTP/1.1 Host: a. tld HTTP/1.1302 Found Set—Cookie: token= TOKEN; path= / Location: http: //b. tld/ ?token= TOKEN
  31. 31. HTTP PULL. GET / ?token= TOKEN HTTP/1.1 Host: b. tld Cookie: foo= bar Trusted Stores cookie "foo= bar" S’E0fag€ in request object using the given token
  32. 32. HTTP PULL GET / ?token= TOKEN HTTP/1.1 Host: b. tld Cookie: foo= bar HTTP/1.1302 Found Location: http: //a. tld/
  33. 33. HTTP PULL. GET / HTTP/1.1 Host: a. tld Cookie: token= TOKEN Trusted Gets request object Storage containing the cookie using the token
  34. 34. HTTP PULL GET / HTTP/1.1 Host: a. tld Cookie: token= TOKEN HTTP/1.1200 OK Set—Cookie: token= DELETED; expires= Thu, 01-Jan-1970 Set—Cookie: foo= bar; path= /
  35. 35. INFINITE LOPS Not as fun as they sound.
  36. 36. LOOP DETECTION. - Without cookies, HTTP is stateless - Without state, there's no history - Without history, how do we know if we performed the redirect already?
  37. 37. FINGERPRINTING - Can be done server—side - Accurate enough for loop prevention - Err on the safe side
  38. 38. FINGERPRINTING - First three octects of the IP address - User-agent and host header - All other headers can change between requests for various legitimate reasons
  39. 39. FINGERPRINTING - Domain A fingerprints the visitor - Before the redirect is performed, it checks if the fingerprint is already known Checks if fingerprint exists
  40. 40. FINGERPRINTING. - If not, it stores the fingerprint and the redirect cycle is performed - If successful, the fingerprint is removed Stores the fingerprint
  41. 41. SAFETY MEASURES - Well—known search engines are excluded - Only common, browser user-agent strings are included - Only done for GET and HEAD requests - Requests over HTTPS are excluded
  42. 42. HTTP PULL PROS - Treated as first party cookies - Can be implemented transparently - Cookie is available on the first request to the application - Doesn't require any client—side changes - If properly optimized, can be very lightweight
  43. 43. HTTP PULL CONS. - High risk of redirect loops if mistakes are made in the fingerprinting mechanism - Increases the time—to—first—byte on the first request, especially if combined with HTTPS - Doesn't work for requests with a message body
  44. 44. LESSONS LEARNED - GoogleBot and friends will sometimes use a fake ID - A lot of traffic is just noise created by various types of bots - The fewer cookies you need, the better - We need some way of establishing trust between domains outside of HTTP
  45. 45. THANK YOU. Any questions?
  46. 46. STAY IN TOUCH - victor@coolblue. nl - @victorwelling - linkedin. com/ in/ victorwelling - slideshare. net/ victorwelling

×