SlideShare a Scribd company logo
1 of 17
COOKIES
HTTP STATE MANAGEMENT MECHANISM
OUR TEAM
Bibek Subedi, 066 BCT 506
Dinesh Subedi, 066 BCT 512 Laxmi Kadariya, 066 BCT 518
Jivan Nepali, 066 BCT 517
June 19, 2013
PRESENTATION OUTLINE
 INTRODUCTION – Definition, Types, Purpose, Syntax & Semantics of Cookies
 COOKIE TECHNOLOGY – Components, Working Principle & Storage Model
 COOKIE: PRIVACY CONSIDERATIONS
 COOKIE: SECURITY CONSIDERATIONS
 COOKIE AUTHENTICATION GUIDELINES
INTRODUCTION
 A “cookie” is a small piece of information sent by a web server to store
on a web browser so it can later be read back from that browser. This is
useful for having the browser remember some specific information.
 Cookies were designed to be a reliable mechanism for websites to
remember the state of the website or activity the user had taken in the
past
 Although cookies cannot carry viruses, and cannot install malware on
the host computer, tracking cookies and especially third-party tracking
cookies are commonly used as ways to compile long-term records of
individuals’ browsing histories – Privacy Concern
PURPOSE OF COOKIES
 Cookies make the interaction between users and web sites faster and easier
 Web sites often use cookies of the purpose of collecting demographic information
about their users.
 Cookies enable web sites to monitor their users’ web surfing habits and profile
them for marketing purposes
 With the increasing commercial applications of the Internet, it was probably
inevitable that cookies would quickly be utilized for advertising purposes.
 Since cookies can be matched to the profile of a user’s interests and browsing
habits, they are a natural tool for the “targeting” of advertisements to individual
users.
TYPES OF COOKIES
 Session or Transient cookies
Cookies that are stored in the computer’s memory only during a user’s
browsing session and are automatically deleted form the user’s computer
when the browser is closed.
 Permanent, Persistent or Stored cookies
Permanent cookies can be used to identify individual users, so they may
be used by web sites to analyze users’ surfing behavior within the web
site. They are usually configured to keep track of users for a prolonged
period of time, in some cases many years into the future.
SYNTAX & SEMANTICS OF
COOKIES
1. Cookie Name
◦ public String getName();
◦ public void setName(String name);
2. Cookie Value
◦ public String getValue();
◦ public void setValue(String value);
3. Cookie Version
◦ public String getVersion();
◦ pulic void setVersion(String domain);
4. Cookie Age
◦ public in getMaxAge();
◦ public void setMaxAge(int lifetime);
EXAMPLE- SYNTAX &
SEMANTICS (Java)
Creating a Cookie
Step 1: Create a Cookie instance by calling the
Constructor
Cookie cookie = new Cookie()
Step 2: Set the name and value of the Cookie
cookie.setName(“ID”);
cookie.setValue(5);
(Both step can be done directly using Cookie
cookie = new Cookie(“ID”,5)
Step 3: Set and maximum age and version of
Cookie
cookie.setMaxAge(2500);
cookie.setVersion(1);
Step 4: Finally add the cookie object to the
response object
Response.addCookie(cookie);
COOKIE COMPONENTS
 HTTP is stateless. But, if an website wants to keep track the
identity of its user, then HTTP uses cookie for this purpose.
 Cookie technology has following four components
o A cookie header line in the HTTP response message
o A cookie header line in the HTTP request message
o A cookie file kept in the user’s end system & managed by the user’s
browser
o A back-end database at the website
WORKING PRINCIPLE:USER-SERVER
INTERACTION
 Suppose Susan, who always accesses the Web using Internet Explorer
from her home PC, contacts amazon.com for the first time.
 Let us suppose that in the past she has already visited the eBay site –
ebay.com.
 When the HTTP request comes in the Amazon’s web server, it creates
◦ unique Identification number
◦ entry in backend database that is indexed by the Identification number
for Susan
WORKING PRINCIPLE CONTD…
Figure : Keeping user ‘state’
using cookies
WORKING PRINCIPLE CONTD…
WHAT COOKIES CAN BRING
 Authorization
 Shopping carts
 Recommendations
 User session state (Web e-mail)
HOW TO KEEP STATE
 Protocol endpoints: maintain
state at sender/receiver over
multiple transactions
 Cookies: http messages carry
state
PRIVACY CONSIDERATIONS
 Third party cookies
if a user visits a site that contains content from a third party and then later visits
another site that contains content from the same third party, the third party can track
the user between the two sites
 User controls
User agents SHOULD provide users with a mechanism for managing the cookies stored
in the cookie store
 Expiration dates
Although servers can set the expiration date for cookies to the distant future, most
user agents do not actually retain cookies for multiple decades
SECURITY CONSIDERATIONS
 Ambient authority
 Clear text
 Session identifier
 Weak confidentiality
 Weak integrity
COOKIE AUTHENTICATION
GUIDELINES
 Use SSL for username/password authentication
 Do not store plain text or weakly encrypted password in a cookie
 The cookie should not be re-used or re-used easily by another person
 Password or other confidential info should not be able to be extracted from
the cookie
 Cookie authentication credential should NOT be valid for an over extended
length of times
 Set up “booby trapped” session tokens that never actually get assigned but will
detect if an attacker is trying to brute force a range of tokens.
COOKIE AUTHENTICATION GUIDELINES
CONTD…
(Whenever possible) Tie cookie authentication to an IP address (part or all
of the IP address)
 Adding “salt” to your cookie (e.g. hashed http header of a particular
browser, MAC address)
 Re-authenticate whenever critical decisions are made
 Over write tokens upon logout.
 Consider using server side cache to store session information, only retain
an index to the cache on the client side (also use ‘booby trapped’ indices)
Thank
You!
Questions & Answers Session

More Related Content

What's hot (20)

Cookies testing
Cookies testingCookies testing
Cookies testing
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
Web Security
Web SecurityWeb Security
Web Security
 
Web design - How the Web works?
Web design - How the Web works?Web design - How the Web works?
Web design - How the Web works?
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
 
encryption and decryption
encryption and decryptionencryption and decryption
encryption and decryption
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Internet security
Internet securityInternet security
Internet security
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Web security
Web securityWeb security
Web security
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 Presentation
 
Packet sniffers
Packet sniffers Packet sniffers
Packet sniffers
 
Online Privacy
Online PrivacyOnline Privacy
Online Privacy
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Phishing Presentation
Phishing Presentation Phishing Presentation
Phishing Presentation
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??
 

Similar to Cookies: HTTP state management mechanism

What Is Evercookie and Why You Should Avoid It for Privacy’s Sake
What Is Evercookie and Why You Should Avoid It for Privacy’s SakeWhat Is Evercookie and Why You Should Avoid It for Privacy’s Sake
What Is Evercookie and Why You Should Avoid It for Privacy’s SakePiwik PRO
 
Cookie replay attack unit wise presentation
Cookie replay attack  unit wise presentationCookie replay attack  unit wise presentation
Cookie replay attack unit wise presentationNilu Desai
 
Cookies and Session
Cookies and SessionCookies and Session
Cookies and SessionKoraStats
 
Enterprise java unit-2_chapter-2
Enterprise  java unit-2_chapter-2Enterprise  java unit-2_chapter-2
Enterprise java unit-2_chapter-2sandeep54552
 
Session tracking in servlets
Session tracking in servletsSession tracking in servlets
Session tracking in servletsvishal choudhary
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvcmagda3695
 
Cyber ethics cbse class xi
Cyber ethics cbse class xiCyber ethics cbse class xi
Cyber ethics cbse class xiArchana Dwivedi
 
Cookie & Session In ASP.NET
Cookie & Session In ASP.NETCookie & Session In ASP.NET
Cookie & Session In ASP.NETShingalaKrupa
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
Overview of Cookies in HTTP - Miran al Mehrab
Overview of Cookies in HTTP - Miran al MehrabOverview of Cookies in HTTP - Miran al Mehrab
Overview of Cookies in HTTP - Miran al MehrabCefalo
 
Cookies authentication
Cookies authenticationCookies authentication
Cookies authenticationRsilwal123
 

Similar to Cookies: HTTP state management mechanism (20)

16 cookies
16 cookies16 cookies
16 cookies
 
What Is Evercookie and Why You Should Avoid It for Privacy’s Sake
What Is Evercookie and Why You Should Avoid It for Privacy’s SakeWhat Is Evercookie and Why You Should Avoid It for Privacy’s Sake
What Is Evercookie and Why You Should Avoid It for Privacy’s Sake
 
Cookies
CookiesCookies
Cookies
 
Cookies & Session
Cookies & SessionCookies & Session
Cookies & Session
 
Cookie replay attack unit wise presentation
Cookie replay attack  unit wise presentationCookie replay attack  unit wise presentation
Cookie replay attack unit wise presentation
 
Cookies-PHP
Cookies-PHPCookies-PHP
Cookies-PHP
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
Cookies and Session
Cookies and SessionCookies and Session
Cookies and Session
 
Enterprise java unit-2_chapter-2
Enterprise  java unit-2_chapter-2Enterprise  java unit-2_chapter-2
Enterprise java unit-2_chapter-2
 
Sessions&cookies
Sessions&cookiesSessions&cookies
Sessions&cookies
 
Session tracking in servlets
Session tracking in servletsSession tracking in servlets
Session tracking in servlets
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvc
 
Cyber ethics cbse class xi
Cyber ethics cbse class xiCyber ethics cbse class xi
Cyber ethics cbse class xi
 
Session,cookies
Session,cookiesSession,cookies
Session,cookies
 
Cookie & Session In ASP.NET
Cookie & Session In ASP.NETCookie & Session In ASP.NET
Cookie & Session In ASP.NET
 
APEX & Cookie Monster
APEX & Cookie MonsterAPEX & Cookie Monster
APEX & Cookie Monster
 
Session and cookies,get and post methods
Session and cookies,get and post methodsSession and cookies,get and post methods
Session and cookies,get and post methods
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessions
 
Overview of Cookies in HTTP - Miran al Mehrab
Overview of Cookies in HTTP - Miran al MehrabOverview of Cookies in HTTP - Miran al Mehrab
Overview of Cookies in HTTP - Miran al Mehrab
 
Cookies authentication
Cookies authenticationCookies authentication
Cookies authentication
 

More from Jivan Nepali

Crystal Ball Event Prediction and Log Analysis with Hadoop MapReduce and Spark
Crystal Ball Event Prediction and Log Analysis with Hadoop MapReduce and SparkCrystal Ball Event Prediction and Log Analysis with Hadoop MapReduce and Spark
Crystal Ball Event Prediction and Log Analysis with Hadoop MapReduce and SparkJivan Nepali
 
Library System Implementation with JavaFx
Library System Implementation with JavaFxLibrary System Implementation with JavaFx
Library System Implementation with JavaFxJivan Nepali
 
Warehouse based Intelligent Banking Transaction Analysis System
Warehouse based Intelligent Banking Transaction Analysis SystemWarehouse based Intelligent Banking Transaction Analysis System
Warehouse based Intelligent Banking Transaction Analysis SystemJivan Nepali
 
Tourism market segmentation in context of nepal
Tourism market segmentation in context of nepalTourism market segmentation in context of nepal
Tourism market segmentation in context of nepalJivan Nepali
 
Decision Support and Knowledge Based Systems
Decision Support and Knowledge Based SystemsDecision Support and Knowledge Based Systems
Decision Support and Knowledge Based SystemsJivan Nepali
 
Grid computing the grid
Grid computing the gridGrid computing the grid
Grid computing the gridJivan Nepali
 
Restaurant Guide: A GPS based Android App
Restaurant Guide: A GPS based Android AppRestaurant Guide: A GPS based Android App
Restaurant Guide: A GPS based Android AppJivan Nepali
 
Project time management
Project time managementProject time management
Project time managementJivan Nepali
 

More from Jivan Nepali (8)

Crystal Ball Event Prediction and Log Analysis with Hadoop MapReduce and Spark
Crystal Ball Event Prediction and Log Analysis with Hadoop MapReduce and SparkCrystal Ball Event Prediction and Log Analysis with Hadoop MapReduce and Spark
Crystal Ball Event Prediction and Log Analysis with Hadoop MapReduce and Spark
 
Library System Implementation with JavaFx
Library System Implementation with JavaFxLibrary System Implementation with JavaFx
Library System Implementation with JavaFx
 
Warehouse based Intelligent Banking Transaction Analysis System
Warehouse based Intelligent Banking Transaction Analysis SystemWarehouse based Intelligent Banking Transaction Analysis System
Warehouse based Intelligent Banking Transaction Analysis System
 
Tourism market segmentation in context of nepal
Tourism market segmentation in context of nepalTourism market segmentation in context of nepal
Tourism market segmentation in context of nepal
 
Decision Support and Knowledge Based Systems
Decision Support and Knowledge Based SystemsDecision Support and Knowledge Based Systems
Decision Support and Knowledge Based Systems
 
Grid computing the grid
Grid computing the gridGrid computing the grid
Grid computing the grid
 
Restaurant Guide: A GPS based Android App
Restaurant Guide: A GPS based Android AppRestaurant Guide: A GPS based Android App
Restaurant Guide: A GPS based Android App
 
Project time management
Project time managementProject time management
Project time management
 

Recently uploaded

HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
MECHANISMS OF DIFFERENT TYPES OF HYPERSENITIVITY REACTIONS.pptx
MECHANISMS OF DIFFERENT TYPES OF HYPERSENITIVITY REACTIONS.pptxMECHANISMS OF DIFFERENT TYPES OF HYPERSENITIVITY REACTIONS.pptx
MECHANISMS OF DIFFERENT TYPES OF HYPERSENITIVITY REACTIONS.pptxAnupkumar Sharma
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8  fourth  -  quarter .pptxweek 1 cookery 8  fourth  -  quarter .pptx
week 1 cookery 8 fourth - quarter .pptxJonalynLegaspi2
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
ClimART Action | eTwinning Project
ClimART Action    |    eTwinning ProjectClimART Action    |    eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 

Recently uploaded (20)

HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
MECHANISMS OF DIFFERENT TYPES OF HYPERSENITIVITY REACTIONS.pptx
MECHANISMS OF DIFFERENT TYPES OF HYPERSENITIVITY REACTIONS.pptxMECHANISMS OF DIFFERENT TYPES OF HYPERSENITIVITY REACTIONS.pptx
MECHANISMS OF DIFFERENT TYPES OF HYPERSENITIVITY REACTIONS.pptx
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8  fourth  -  quarter .pptxweek 1 cookery 8  fourth  -  quarter .pptx
week 1 cookery 8 fourth - quarter .pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
ClimART Action | eTwinning Project
ClimART Action    |    eTwinning ProjectClimART Action    |    eTwinning Project
ClimART Action | eTwinning Project
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 

Cookies: HTTP state management mechanism

  • 2. OUR TEAM Bibek Subedi, 066 BCT 506 Dinesh Subedi, 066 BCT 512 Laxmi Kadariya, 066 BCT 518 Jivan Nepali, 066 BCT 517 June 19, 2013
  • 3. PRESENTATION OUTLINE  INTRODUCTION – Definition, Types, Purpose, Syntax & Semantics of Cookies  COOKIE TECHNOLOGY – Components, Working Principle & Storage Model  COOKIE: PRIVACY CONSIDERATIONS  COOKIE: SECURITY CONSIDERATIONS  COOKIE AUTHENTICATION GUIDELINES
  • 4. INTRODUCTION  A “cookie” is a small piece of information sent by a web server to store on a web browser so it can later be read back from that browser. This is useful for having the browser remember some specific information.  Cookies were designed to be a reliable mechanism for websites to remember the state of the website or activity the user had taken in the past  Although cookies cannot carry viruses, and cannot install malware on the host computer, tracking cookies and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals’ browsing histories – Privacy Concern
  • 5. PURPOSE OF COOKIES  Cookies make the interaction between users and web sites faster and easier  Web sites often use cookies of the purpose of collecting demographic information about their users.  Cookies enable web sites to monitor their users’ web surfing habits and profile them for marketing purposes  With the increasing commercial applications of the Internet, it was probably inevitable that cookies would quickly be utilized for advertising purposes.  Since cookies can be matched to the profile of a user’s interests and browsing habits, they are a natural tool for the “targeting” of advertisements to individual users.
  • 6. TYPES OF COOKIES  Session or Transient cookies Cookies that are stored in the computer’s memory only during a user’s browsing session and are automatically deleted form the user’s computer when the browser is closed.  Permanent, Persistent or Stored cookies Permanent cookies can be used to identify individual users, so they may be used by web sites to analyze users’ surfing behavior within the web site. They are usually configured to keep track of users for a prolonged period of time, in some cases many years into the future.
  • 7. SYNTAX & SEMANTICS OF COOKIES 1. Cookie Name ◦ public String getName(); ◦ public void setName(String name); 2. Cookie Value ◦ public String getValue(); ◦ public void setValue(String value); 3. Cookie Version ◦ public String getVersion(); ◦ pulic void setVersion(String domain); 4. Cookie Age ◦ public in getMaxAge(); ◦ public void setMaxAge(int lifetime);
  • 8. EXAMPLE- SYNTAX & SEMANTICS (Java) Creating a Cookie Step 1: Create a Cookie instance by calling the Constructor Cookie cookie = new Cookie() Step 2: Set the name and value of the Cookie cookie.setName(“ID”); cookie.setValue(5); (Both step can be done directly using Cookie cookie = new Cookie(“ID”,5) Step 3: Set and maximum age and version of Cookie cookie.setMaxAge(2500); cookie.setVersion(1); Step 4: Finally add the cookie object to the response object Response.addCookie(cookie);
  • 9. COOKIE COMPONENTS  HTTP is stateless. But, if an website wants to keep track the identity of its user, then HTTP uses cookie for this purpose.  Cookie technology has following four components o A cookie header line in the HTTP response message o A cookie header line in the HTTP request message o A cookie file kept in the user’s end system & managed by the user’s browser o A back-end database at the website
  • 10. WORKING PRINCIPLE:USER-SERVER INTERACTION  Suppose Susan, who always accesses the Web using Internet Explorer from her home PC, contacts amazon.com for the first time.  Let us suppose that in the past she has already visited the eBay site – ebay.com.  When the HTTP request comes in the Amazon’s web server, it creates ◦ unique Identification number ◦ entry in backend database that is indexed by the Identification number for Susan
  • 11. WORKING PRINCIPLE CONTD… Figure : Keeping user ‘state’ using cookies
  • 12. WORKING PRINCIPLE CONTD… WHAT COOKIES CAN BRING  Authorization  Shopping carts  Recommendations  User session state (Web e-mail) HOW TO KEEP STATE  Protocol endpoints: maintain state at sender/receiver over multiple transactions  Cookies: http messages carry state
  • 13. PRIVACY CONSIDERATIONS  Third party cookies if a user visits a site that contains content from a third party and then later visits another site that contains content from the same third party, the third party can track the user between the two sites  User controls User agents SHOULD provide users with a mechanism for managing the cookies stored in the cookie store  Expiration dates Although servers can set the expiration date for cookies to the distant future, most user agents do not actually retain cookies for multiple decades
  • 14. SECURITY CONSIDERATIONS  Ambient authority  Clear text  Session identifier  Weak confidentiality  Weak integrity
  • 15. COOKIE AUTHENTICATION GUIDELINES  Use SSL for username/password authentication  Do not store plain text or weakly encrypted password in a cookie  The cookie should not be re-used or re-used easily by another person  Password or other confidential info should not be able to be extracted from the cookie  Cookie authentication credential should NOT be valid for an over extended length of times  Set up “booby trapped” session tokens that never actually get assigned but will detect if an attacker is trying to brute force a range of tokens.
  • 16. COOKIE AUTHENTICATION GUIDELINES CONTD… (Whenever possible) Tie cookie authentication to an IP address (part or all of the IP address)  Adding “salt” to your cookie (e.g. hashed http header of a particular browser, MAC address)  Re-authenticate whenever critical decisions are made  Over write tokens upon logout.  Consider using server side cache to store session information, only retain an index to the cache on the client side (also use ‘booby trapped’ indices)