Summary

position ease box interval due
front 2.5 0 0 2021-09-09T14:15:14Z

HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies). are small blocks of data created by a web server while a user is browsing a website and placed on the user’s computer or other device by the user’s web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user’s device during a session.

Refs

https://en.wikipedia.org/wiki/HTTP%5Fcookie

Details

Cookies serve useful and sometimes essential functions on the web. They enable web servers to store stateful information (such as items added in the shopping cart in an online store) on the user’s device or to track the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past)[1]. They can also be used to save for subsequent use information that the user previously entered into form fields, such as names, addresses, passwords, and payment card numbers.

Authentication cookies

are commonly used by web servers to authenticate that a user is logged in, and with which account they are logged in. Without the cookie, users would need to authenticate themselves by logging in on each page containing sensitive information that they wish to access. The security of an authentication cookie generally depends on the security of the issuing website and the user’s web browser, and on whether the cookie data is encrypted.

Tracking cookies

, and especially third-party tracking cookies, are commonly used as ways to compile long-term records of individuals' browsing histories — a potential privacy concern that prompted European[3] and U.S. lawmakers to take action in 2011.[4][5] European law requires that all websites targeting European Union member states gain “informed consent” from users before storing non-essential cookies on their device.

A session cookie (also known as an in-memory cookie, transient cookie or non-persistent cookie) exists only in temporary memory while the user navigates a website.[21] Session cookies expire or are deleted when the user closes the web browser.[22] Session cookies are identified by the browser by the absence of an expiration date assigned to them.

A persistent cookie expires at a specific date or after a specific length of time.

A secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS).

An http-only cookie cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). However, the cookie remains vulnerable to cross-site tracing (XST) and cross-site request forgery (CSRF) attacks. A cookie is given this characteristic by adding the HttpOnly flag to the cookie.

In 2016 Google Chrome version 51 introduced[23] a new kind of cookie with attribute SameSite. The attribute SameSite can have a value of Strict, Lax or None.[24] With attribute SameSite=Strict, the browsers would only send cookies to a target domain that is the same as the origin domain

Other types of cookies

  1. Zombie cookies and more

Structure

A cookie consists of the following components:[43][44]

  • Name
  • Value
  • Zero or more attributes (name/value pairs). Attributes store information such as the cookie’s

expiration, domain, and flags (such as Secure and HttpOnly).

Uses

  1. Session Management
  2. Personalization
  3. Tracking
  4. e.t.c.
#Request
GET /index.html HTTP/1.1
Host: www.example.org
...

#Response
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: theme=light
Set-Cookie: sessionToken=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT

Explanation

The server’s HTTP response contains the contents of the website’s homepage. But it also instructs the browser to set two cookies.

  1. The first, “theme”, is considered to be a session cookie since it does not have an Expires or Max-Age attribute. Session cookies are intended to be deleted by the browser when the browser closes.
  2. The second, “sessionToken”, is considered to be a persistent cookie since it contains an Expires attribute, which instructs the browser to delete the cookie at a specific date and time.
# next request to get spec.html page
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: theme=light; sessionToken=abc123
…

This way, the server knows that this HTTP request is related to the previous one(sessionToken).

In addition to a name and value, cookies can also have one or more attributes. Browsers do not include cookie attributes in requests to the server—they only send the cookie’s name and value. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie to the server.

Domain and Path

The Domain and Path attributes define the scope of the cookie. They essentially tell the browser what website the cookie belongs to. For security reasons, cookies can only be set on the current resource’s top domain and its subdomains, and not for another domain and its subdomains. For example, the website example.org cannot set a cookie that has a domain of foo.com because this would allow the website example.org to control the cookies of the domain foo.com.

Example

Below is an example of some Set-Cookie header fields in the HTTP response of a website after a user logged in. The HTTP request was sent to a webpage within the docs.foo.com subdomain:

HTTP/1.0 200 OK
Set-Cookie: LSID=DQAAAK…Eaem_vYg; Path=/accounts; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure; HttpOnly
Set-Cookie: HSID=AYQEVn…DKrdst; Domain=.foo.com; Path=/; Expires=Wed, 13 Jan 2021 22:23:01 GMT; HttpOnly
Set-Cookie: SSID=Ap4P…GTEq; Domain=foo.com; Path=/; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure; HttpOnly
…

Explanation

The first cookie, LSID, has no Domain attribute, and has a Path attribute set to /accounts. This tells the browser to use the cookie only when requesting pages contained in docs.foo.com/accounts (the domain is derived from the request domain). The other two cookies, HSID and SSID, would be used when the browser requests any subdomain in .foo.com on any path (for example www.foo.com/bar). The prepending dot is optional in recent standards, but can be added for compatibility with RFC 2109 based implementations.[54]