Back to startpage CookieSecurity
Startpage > Introduction > Attack scenarios > Exercise > Solutions

Introduction

1. Why cookies are necessary

HTTP is a stateless protocol to transmit data in a computer network. It is mainly used to communicate between a server and a client in the WWW. As the protocol is stateless, it's not possible for the server to associate the different requests of a client. Often there is a demand on assigning data to a specified user for a defined period of time.

For example there is a need to save the specific behaviour of a user over a defined period of time or to save different products in a virtual shopping cart in an internet shop application. Because the HTTP protocol is not able to fulfil these requirements in 1994 Netscape invented a mechanism called cookie. Later this mechanism was defined in RFC 2109 and updated in RFC 2965.

2. The Cookie

A cookie is a small piece of data which is stored on the user's local hard drive by the browser. Either each cookie is saved in a single text file or all cookies are saved in a list in one text file. All common browsers support cookies and most of them offer the option to deactivate them.

From the time when a cookie is set from a web server it will continuously be a part of the http Request header for the given lifetime of the cookie. The cookie will only be sent back to the server which had set it. Therefore the domain and the path the cookie is valid for are stored inside the cookie.

There are two different kinds of cookies:

  • Persistent Cookies
  • Session Cookies

Persistent cookies can be stored up to a year on the local hard drive. They are used to configure web applications or to realize a permanent login. The lifetime of a persistent cookie has to be set by the developer. Session cookies are only valid for one session that means from the first visit of a website until the website is closed. After closing the browser window a session cookie is deleted and not valid any more.

3. From a technical point of view

The web server sets a cookie when the web application instructs it. The data concerning the cookie are sent via the HTTP response header. In the HTTP header two different keywords indicate that a cookie has to be stored by the browser, Set-Cookie (RFC 2109) and Set-Cookie2 (RFC 2965). Actually the MS Internet Explorer 6.0 and Mozilla Firefox 1.5 still use the Set-Cookie keyword from RFC 2109 because the new specification does not provide any fundamental changes. Also the cookie class from the java servlet class javax.servlet.http.Cookie uses the old specification.

Excerpt from a HTTP header for setting a persistant cookie:

HTTP/1.x 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: user=login=true; Expires=Tue, 16-Oct-2007 11:51:06 GMT; Path=/SecoTrain/pages/CS/de/

In the following table you can find all parameters of the Set-Cookie and Set-Cookie2 command:

Parameter Meaning Parameter optional/required set by developer/browser/server
NAME = VALUE Name and value. optional developer
Comment A comment that describes the purpose of the cookie. optional developer
CommentURL
(only Set-Cookie2)		 An URL reffering a website that describes the purpose of the cookie. optional developer
Discard
(only Set-Cookie2)		 When set the cookie is discarded es soon as the browser window is closed. (Session Cookie) optional developer/browser
Domain Saves the domain the cookies is valid for optional developer/browser (If not set by the developer the browser sets it)
Max-Age After Max-Age expires a cookie is deleted. optional developer/browser (if the developer does not specify the Max-Age, the cookie is discarded when the browser window is closed.
Path Specifies the path the cookie is valid for. optional developer/browser (if the developer does not specify the browser set the path)
Port
(nur Set-Cookie2)		 List of ports the cookie is valid for. optional developer (if the developer does not specify the cookies is transmitted for any port)
Secure If Secure is set the cookie is only transmitted via safe https connections. optional developer
Version Version of the cookie specification. (1.0) required browser

The domain, path and port attributes are always set. If the developer does not specify the values, the browser automatically writes the attributes in the cookie.

Because not every cookie should be sent to every requested web server there is a validation mechanism.

A cookie is sent back to a web server when certain circumstances occur:

  • domain, path and port in the cookie are equal to the domain, path and port of the server
  • according to the type of connection (HTTP/HTTPS) the secure attribute has to be set
  • the max-age of the cookie is not yet exceeded

The cookie in a HTTP header will be identified by the keyword Cookie.

Excerpt from a HTTP request header:

Cookie: user=login=true; JSESSIONID=BD33790B59FA3E64DD01A5193D0C3CA2

Further information concerning the technical details of cookies can be found in the RFCs.

4. When are cookies needed

For example cookies are needed to:

  • save custom user configuration in a web application
  • save shopping carts
  • realize session
< Back to startpage Next page >



Copyright © 2006 SAP AG. All rights reserved.
Legal Notice