HTTP Cookies
HTTP Cookies are small pieces of information generated by the web server to store them on the user’s browser. The browser then in turn sends the cookies for each request to the same domain.
Usage:
Cookies are primarily used for three use cases:
- Session Management: Authentication, shopping cart etc
- Personalization: User preference, configuration, themes, etc
- Tracking: Record and analyze user behaviour
Creating cookies:
- Server Side:
Cookies are sent to the user agent through the HTTP header
Set-CookieSet-Cookie: <cookie-name>=<cookie-value>; <option-name>=<option-value>Example:
app.get('/hello/world', (req, resp) => { resp.cookie('hello-world','world2',{maxAge: 180000, path:"/hello", sameSite: true}) resp.send("Hello World!") }) - Client Side:
JavaScript can operate on cookies using the
document.cookieproperty:document.cookie = "<cookie-name>=<cookie-value>; <option-name>=<option-value>"Example:
<html> <head> <title> Sample site </title> </head> <header>Hello <%= locals.text || 'Default' %>!</header> <script> function createCookie(){ // alert('button is clicked!') document.cookie = "name=tisan" } </script> <body> <br/><br/>This is a sample body to greet <%= locals.text || 'default' %><br/><br/> <button id="createCookieButton" onclick="createCookie()">Create Cookie</button> <a href="http://example.com">Example website</a> </body> </html>
Cookie Scope:
Domain:
All the cookies are scoped to a specific domain and not shared by the subdomains. However if the Domain is specified then the cookies are shared with the subdomains also. Therefore specifying the Domain attribute is less restrictive. Domain=mozilla.org, cookies are available on subdomains like developer.mozilla.org. The domain also should match with the requested server, otherwise the cookie is rejected by the browser
Path:
The path attribute indicates the URL path for which the cookie is available. By default the cookies are shared with all the URLs under the allowed domain. However, the cookies can be restricted to be sent for the request matching with specific URL path prefix with the help of the path attribute.
app.get('/hello', (req, resp) => {
resp.cookie('hello','world',{path:"/hello"})
resp.send("Hello!")
})
Lifetime:
By default the cookies are cleared when the browser session is closed. These cookies are called browser cookies. When the Expires or Max-Age attribute is set, the browser might retain the cookies in persistent storage. This type of cookie is called permanent cookie. It’s to be noted that the ```Max-Age`` attribute defines the miliseconds for which the cookie is going to be active. Browsers also has their own maximum allowed value for these attributes. For example, Chrome browser allows cookies to be active for a maximum of 400 days, and if some cookie is sent from server which exceeds this, then then it’s capped to the upper limit of 400 days.
app.get('/hello/world', (req, resp) => {
resp.cookie('hello-world','world2',{maxAge: 180000, path:"/hello"})
resp.send("Hello World!")
})
Security:
The secure attribute ensures that the associated cookie is sent only over an encypted channel, which means that these cookies aren’t sent for unsecured HTTP (except localhost). It overcomes a man-in-the-middle attack, however, cookies are still exposed if the attacker has got access of the hard-disk of the user system.
The httpOnly attribute ensures that the associated cookie is hidden from the Javascript document.cookie API. Even though it’s not accessibe through JavaScript, would be sent by the browser for each applicable requests. This is useful to mitigate XSS attack.
The SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests (where Site is defined by the registrable domain and the scheme: http or https). This provides some protection against cross-site request forgery attacks (CSRF). It takes three possible values: Strict, Lax, and None. With Strict, the browser only sends the cookie with requests from the cookie’s origin site.
Advertisement/3rd party cookies:
One most prominent use of cookies is for the advertisement through third party servies. To provide one example, companies like Facebook and Google has their own ad-network. Once a customer is logged in to their services, the domain specific cookies are set. Howver the cookies would be only used for the requested site only.
Now, while visiting the other sites, these sites have thier own cookies, and they also rely upon third party services for analytics related operation. These sites includes a small script to fetch the analytics information, and the browser while requesting the analytics information send the cookies that were set the by the ad network sites. Now the ad-networks are aware of our visit to another site.
It’s a common misconception that once a tab is closed, the session is closed, hence the session cookies are also cleared. It’s to be noted that the concept of session is somewhat different in the context of cookies. The permanent cookies are retained in the persistent storage, and the session cookies also remain active till the time browser instance is running. Hence even if the earlier tab for the Google or Facebook is closed, their cookies still remain active, and the other sites utilizing their analytics framework injects their script, and this is how the ad-networks are able to understand our browsing behaviour.
Limitation:
Browser has it’s own set of limitation of storing cookies, which again is varied browser to browser. In general, all the browsers are exptected to accept at-least 300 cookies, and the overall size of all the cookies for a particular domain should be below 4 kB.
To be explored:
- Web based attack techniques
- How Analytics is done by different Ad-networks