Open in app

Sign in

Write

Sign in

What are browser Cookies?

Seralahthan
8 min readMar 23, 2019

--

Cookies are pieces of information stored on the client side, which are sent to the server with every request made by the client. Cookies are primarily used for authentication and maintaining sessions.

HTTP and HTTPS are stateless protocols, they don’t have a state which maintains the user session. So, with only HTTP or HTTPS websites can’t keep user preference.

A cookie generally contains the user preference and information related to user’s identity. Hence, securing a cookie effectively means securing a user’s identity.

Cookies can be secured by properly setting cookie attributes or cookie headers. These attributes are:

  • Secure
  • Domain
  • Path
  • HTTPOnly
  • Expires
  • Max-Age
  • SameSite

Let’s see how does these properties help with securing the cookies.

Secure

Since cookies are used for replaying the user identification and session to the server, they are vulnerable to replay attacks. This means if the cookies are not secured properly with cookie headers, an attacker can sniff the cookies over the communication channel and replay as the user and gain access to the resources.

One of the commons ways to steal data, including cookies over a communication channel, is sniffing.

Sniffing is a theft or interception of data by capturing the network traffic using a sniffer (an application aimed at capturing network packets).
Source: Wikipedia (https://en.wikipedia.org/wiki/Sniffing_attack)

Generally sniffing is used to extract username and passwords, and it is possible if the data sent over the channel is not encrypted.
In order to overcome this problem, we encrypt data before transmission. Encryption of data ensures that any potential attacker who sniffs traffic will not be able to steal clear text data, thus ensuring their safety.

Many applications encrypt only the login page and other sensitive pages. Other requests such as those for image files are sent to the server using non-encrypted communication. But as cookies are also transmitted along with these requests, an attacker sniffing on a network will be able to steal session information from these cookies. Also, some sites allow access over HTTP as well as HTTPS. In cases like these, it becomes important to make sure the cookie is transmitted only over HTTPS connections and not HTTP.
This can be done with the help of the ‘Secure’ attribute of a cookie.

The ‘Secure’ attribute makes sure that the cookie will only be sent with requests made over an encrypted connection and an attacker won’t be able to steal cookies by sniffing. However, we need to be very careful while setting this attribute.

According to the old implementation, just setting the attribute to ‘Secure’ does not necessarily mean that the cookie will always be transmitted over an encrypted connection.

RFC 2965 states,
When it sends a “secure” cookie back to a server, the user agent SHOULD use no less than the same level of security as was used when it received the cookie from the server.

RFC 2965 - HTTP State Management Mechanism

Network Working Group D. Kristol Request for Comments: 2965 Bell Laboratories, Lucent Technologies Obsoletes: 2109 L…

tools.ietf.org

But according to the recent RFC 6265 which obsoletes RFC 2965,
User agent will include the cookie with “Secure” attribute in an HTTP request only if the request is transmitted over a secure channel (HTTP over Transport Layer Security (TLS))

RFC 6265 - HTTP State Management Mechanism

Internet Engineering Task Force (IETF) A. Barth Request for Comments: 6265 U.C. Berkeley Obsoletes: 2965 April 2011…

tools.ietf.org

SecureFlag - OWASP

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an…

www.owasp.org

Domain and Path

‘domain’ attribute specifies the domain for which the cookie is valid and can be submitted with every request for this domain or its subdomains. If this attribute is not specified, then the hostname of the originating server is used as the default value.

The ‘path’ attribute signifies the URL or path for which the cookie is valid. The default path attribute is set as ‘/’.

Set Domain and Path attributes properly

Assume i have a created a business website in the domain ‘abcd.com’ with a sub-domain ‘test.abcd.com’ Or sub-folder ‘abcd.com/test’.

Now let’s consider an attacker having his site in the same domain ‘abcd.com’ with a sub-domain ‘attacker.abcd.com’ Or sub-folder ‘abcd.com/attacker’.

Cookie is set to domain ‘abcd.com’ and path ‘/’

Cookie set for ‘abcd.com’ domain it is also valid for its sub-domains and sub-folders. So the cookie created for a user in the ‘test.abcd.com’ OR ‘abcd.com/test’ is also sent with the HTTP request initiated to the ‘attacker.abcd.com’ OR ‘abcd.com/attacker’ (as the cookies is set to top level domain). Using this cookie attacker can hijack a user session.

Thus, ‘domain’ and ‘path’ cookie attributes must be properly set in an environment where sub-domains and sub-folders host different applications.

HTTPOnly

This flag set in a cookie, prevents the client-side scripts from accessing the cookie. The cookie can only be accessed by HTTP requests.

This is done to prevent Cross Site Scripting attacks used to steal cookies with the help of client-side scripts.

Restricting access to cookies by client-side scripts does not completely mitigate the risk of stealing cookies via XSS. However, it does raise the bar considerably and ensures that the most common XSS attack is mitigated, though not completely.

Expires

This attribute is used to set persistent cookies. It signifies how long the browser should use the persistent cookie and when the cookie should be deleted.

Expires attribute indicates the maximum lifetime of the cookie, represented as the date and time at which the cookie expires.

If this attribute is not specified, then the lifetime of the cookie is the same as that of browser session, i.e. it will be a non-persistent cookie.

‘Expires’ attribute makes the cookie only live for the specified period of time, thus mitigating the risk of attacker gaining access to it.

Max-Age

Recently introduced cookie attribute which serves the similar purpose as of a “Expires’ attribute.

The Max-Age attribute indicates the maximum lifetime of the cookie, represented as the number of seconds until the cookie expires.

NOTE: Some existing user agents do not support the Max-Age attribute. User agents that do not support the Max-Age attribute ignore the attribute.

If a cookie has both the Max-Age and the Expires attribute, the Max-Age attribute has precedence and controls the expiration date of the cookie.

If a cookie has neither the Max-Age nor the Expires attribute, the user agent will retain the cookie until “the current session is over” (as defined by the user agent).

SameSite

“SameSite” Cookie attribute is a recently introduced cookie attribute for Chrome based browsers with Chrome 51 release.

'SameSite' cookie attribute - Chrome Platform Status

Same-site cookies (née "First-Party-Only" (née "First-Party")) allow servers to mitigate the risk of CSRF and…

www.chromestatus.com

“SameSite” cookie attribute is introduced to prevent CSRF attacks by not allowing cross-site requests (third-party domains) to access browser cookies which are intended to only be accessed by the first-party (registered domain)

Same-site cookies (née “First-Party-Only” (née “First-Party”)) allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

— Chrome Documentation

There are two possible values for this “SameSite” cookie attribute, Lax and Strict.

Types and Purposes of Cookies

There are various types of cookies, some are used to improve the efficiency of the website use and others to enable certain functions.

Cookies are generally used for the following purposes :

  • store the preferences entered by users
  • authentication and maintaining sessions (prevent users from having to enter the same information more than once when visiting the website, such as username and password)
  • analyse the use of the services and contents provided by this website to optimize the navigation experience and the services offered

Types of Cookies

Technical Cookies

Technical cookies are used to ensure the correct operation of some sections of the website. There are two categories of technical cookies: persistent and session:

  • persistent: once you quit the browser they are not destroyed but remain until the set expiry date
  • session: these are destroyed every time you quit the browser

Session Cookie

Also called a transient cookie, a cookie that is erased when you close the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer. They typically will store information in the form of a session identification that does not personally identify the user.

Persistent Cookie

Also called a permanent cookie, or a stored cookie, a cookie that is stored on your hard drive until it expires (persistent cookies are set with expiration dates) or until you delete the cookie. Persistent cookies are used to collect identifying information about the user, such as Web surfing behavior or user preferences for a specific Web site.

Analytical Cookies

The cookies in this category are used to gather information on the use of the website. SEO will use this information about anonymous statistical analyses in order to improve the use of the website and make the contents more interesting and pertinent to the wishes of its users. This type of cookie collects data in anonymous form concerning the users’ activities and how they reached the website. Analytical cookies are sent from the website itself or from third party domains.

Third party service analysis cookies

These cookies are used to collect information on the use of the Website by users in anonymous form such as: pages visited, time spent, origins of traffic, geographical origin, age, gender and interests for marketing campaign purposes. These cookies are sent from third party domains external to the Website.

Cookies for integrating third party products and software functions

This type of cookies integrates functions developed by third parties within the pages of the Website, such as icons and preferences expressed on social networks, in order to share the contents of the website and for the use of third party software services (such as software for generating maps and other software that offers additional services). These cookies are sent from third party domains and partner websites that offer their functions on the pages of the Website.

Profiling cookies

These are cookies needed for creating user profiles in order to send advertising messages in line with the preferences expressed by the user in the website pages.

According to current law, is not required to obtain consent for technical and analytical cookies, as these are required to provide the requested services.
For all other types of cookies, consent need to be expressed.

For all other types of cookies, consent may be expressed by users in one or more of the following ways:

  • Through specific configurations of the browser used or the related IT softwares used to visit the pages of the website (Prompted in the time of access in the browser)
  • By changing the settings for the use of third party services.

References :

https://tools.ietf.org/html/rfc2965
https://tools.ietf.org/html/rfc6265
https://www.owasp.org/index.php/SecureFlag
https://www.chromestatus.com/feature/4672634709082112

Security
Browser Cookies

--

--

Seralahthan

Written by Seralahthan

163 Followers

Consultant - Integration & CIAM | ATL@WSO2 | BScEng(Hons) in Computer Engineering | Interested in BigData, ML & AI

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams