http-protocol-cookie

Posted on Edited on In ,

Overview

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests come from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

Cookies are mainly used for three purposes:

  • Session management
    Logins, shopping carts, game scores, or anything else the server should remember, stateful.
  • Personalization
    User preferences, themes, and other settings
  • Tracking
    Recording and analyzing user behavior

Note: if you just want to store something in client, use storage APIs, as cookies are sent with every request if valid, so they can worsen performance, Web storage API (localStorage and sessionStorage) and IndexedDB.

An expiration date or duration can be specified, after which the cookie is no longer sent. Additionally, restrictions to a specific domain and path can be set, limiting where the cookie is sent. sent cookie or not depends on uri, domain, path etc

session cookie

1
2
3
4
5
6
HTTP/2.0 200 OK
Content-type: text/html
Set-Cookie: yummy_cookie=choco
Set-Cookie: tasty_cookie=strawberry

[page content]
1
2
3
GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: yummy_cookie=choco; tasty_cookie=strawberry

cookie without Expires or Max-Age is session cookie will be deleted when the client shuts down.

Permanent cookies

Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT

Secure and HttpOnly

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.

HttpOnly cookies are inaccessible to JavaScript’s Document.cookie API

Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly

CSRF token and SameSite

SameSite cookies let servers require that a cookie shouldn’t be sent with cross-site (where Site is defined by the registrable domain) requests, which provides some protection against cross-site request forgery attacks (CSRF).

Set-Cookie: key=value; SameSite=Strict

CSRF tokens are used to protect against CSRF attacks

A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client. When the later request is made, the server-side application validates that the request includes the expected token and rejects the request if the token is missing or invalid.

CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user. Since the attacker cannot determine or predict the value of a user’s CSRF token, they cannot construct a request with all the parameters that are necessary for the application to honor the request.

Set-Cookie: CSRF=e8b667; Secure; Domain=example.com, A CSRF token should be included in <form> elements via a hidden input field.

what’s csrf attack

The Domain and Path directives define the scope of the cookie: cookie is sent only when it matches domain and path.

Domain specifies allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location, excluding subdomains. If Domain is specified, then subdomains are always included.

For example, if Domain=mozilla.org is set, then cookies are included on subdomains like developer.mozilla.org.

Path indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F (“/“) character is considered a directory separator, and subdirectories will match as well.

For example, if Path=/docs is set, these paths will match:

1
2
3
/docs
/docs/Web/
/docs/Web/HTTP

cookie panel