2.1.4 Cookies
Cookies
In 1994, cookies were introduced to make HTTP stateful, overcoming its inherent statelessness. Cookies are text fragments stored by a web browser, primarily used for maintaining user state between HTTP requests. The key components of a cookie include:
Domain: Specifies the domain for which the cookie is valid. It can be a specific domain or a broader domain, including subdomains. A leading dot is ignored, and if not specified, the browser sets it to the server's domain. E.g., A website can only set sets a cookie for the domain:
google.com
or.google.com
. This means that the browser will install the cookie in the cookie jar and will send this cookie for any subsequent request togoogle.com
,www.google.com
, andmaps.google.com
.The scope of this cookie will be
*.google.com
.Expires: Sets a time constraint on the cookie. Session cookies expire when the session ends.
Path: Specifies the requests within the domain for which the browser should send the cookie.
For cookies with path=
/downloads
, all subsequent requests to:/downloads
/downloads/foo
/downloads/foo/bar
will include this cookie. The browser will not send this cookie for requests to/blog
or/members
Content: A cookie can carry multiple values simultaneously. A sever can set multiple values with a single
Set-Cookie
header by specifying multipleKEY=Value
pairs.For example:
Set-Cookie: Username="john"; Authenticated="1"
HTTP Only Flag: Ensures the browser sends the cookie only through HTTP, preventing access via non-HTML technologies like JavaScript, Flash, or Java, protecting against XSS attacks.
Secure Flag: Restricts the cookie to be sent only through HTTPS, enhancing security by preventing transmission in clear text.
Cookies Domain
The domain
attribute plays a crucial role in determining the validity of a cookie. It, along with path
, secure
, and expires
attributes, helps decide if a cookie should be submitted with a new HTTP request. RFC6265 distinguishes cookies set with a specified domain value from those without.
A cookie with a specified domain value will be sent if the cookie domain matches the target domain or is a suffix of the target domain.
Example 1: Cookie domain value = els.ptp.site, and the target domain is els.ptp.site. The cookie will be sent.
Example 2: Cookie domain value = ptp.site, and the target domain is els.ptp.site. The cookie will be sent because ptp.site is a suffix of els.ptp.site.
Security Implications: Lower-level subdomains can set cookies for higher domains, but the reverse is not true.
Unspecified Cookie Domain
A cookie without a specified domain value assumes the host-only flag is set to true.
Example: If a cookie is set by a page on elsptp.site without a domain value, it will be sent only to requests matching http[s]://elsptp.site/*.
Internet Explorer Exception
Internet Explorer does not distinguish between cookies with specified and unspecified domain values. It interprets cookies without a domain value as if they had a domain corresponding to the target domain set in it.
Inspecting the Cookie Protocol
The process of cookie installation involves the following steps:
Login: A login page is where a session begins, and a cookie is installed in the browser.
POST /login.php: The website responds with a Set-Cookie header containing the cookie details.
Cookie: For subsequent requests, the browser includes the cookie in the Request header.
Cookie Installation Examples
Correct Cookie Installation
Example 1: Cookie without a domain value is sent by the web server and accepted by the browser. The cookie is available only to the target domain a.elsptp.site.
Example 2: Cookie with domain value .elsptp.site is sent, accepted, and sent in requests to matching URLs.
Example 3: Cookie without a domain value and with the path /learning is sent and accepted, available only to the target domain a.elsptp.site and path /learning.
Example 4: Two different cookies are accepted and stored by the browser without interfering with each other.
Incorrect Cookie Installation
The browser rejects a cookie with the domain value b.elsptp.site, as it is not a suffix of the domain a.elsptp.site that sent the cookie.