Cookies and security

techie | June 4 - 2010

Cookies are pieces of information generated by a Web server and stored in the user’s computer, ready for future access. Cookies are embedded in the HTML information moving back and forth between the user’s computer and the servers. Cookies are employed to allow user-side customization of Web information. Cookies are used to personalize Web search engines, to allow users to participate in web contests , and to store shopping lists of items a user has selected while browsing through a virtual shopping mall.

Cookies make use of user-specific information transmitted by the Web server onto the user’s computer so that the information might be available for later access by itself or other servers. In most cases, not only does the storage of information  (of the area of interest) into a cookie go unnoticed, so does access to it. Web servers automatically gain access to relevant cookies whenever the user establishes a connection to them, usually in the form of Web requests.

Cookies are based on a two-stage process. In the first stage the cookie is stored in the user’s computer without their consent or knowledge. With customizable Web search engines, a user selects categories of interest from the Web page. The Web server then creates a specific cookie.This is a tagged string of text containing the user’s preferences, and it transmits this cookie to the user’s computer. The user’s Web browser, receives the cookie and stores it in a special file called a cookie list. This happens without any notification or user consent. As a result, personal information is formatted by the Web server, transmitted, and saved by the user’s computer.
During the second stage, the cookie is automatically transferred from the user’s machine to a Web server. Whenever a user directs that specific Web browser to display a certain Web page from the server, that browser will, without the user’s knowledge, transmit the cookie containing personal information to the Web server.

Authentication cookies

The path attribute can also play a role in securing authentication cookies. When you place public files in the virtual root and protected files in a sub directory configured for HTTPS you can protect it.

If you accept the default path of /, the authentication cookie you acquire is transmitted in all requests to the Web site, not just the ones directed to the Secret directory. An intruder can intercept the cookie on its way to a public page and use it to gain access to protected pages. Here’s the solution:

<forms path=”/Secret” />

Now the cookie will only be transmitted in requests for resources in the Secret sub directory and its sub directories.This means that  it’s only transmitted over secure channels.