2.1.4 Cookies

Cookies

In 1994, cookies were introduced to make HTTP stateful, overcoming its inherent statelessness. Cookies are text fragments stored by a web browser, primarily used for maintaining user state between HTTP requests. The key components of a cookie include:

  • Domain: Specifies the domain for which the cookie is valid. It can be a specific domain or a broader domain, including subdomains. A leading dot is ignored, and if not specified, the browser sets it to the server's domain. E.g., A website can only set sets a cookie for the domain: google.com or .google.com. This means that the browser will install the cookie in the cookie jar and will send this cookie for any subsequent request to google.com, www.google.com, and maps.google.com.

    The scope of this cookie will be *.google.com.

  • Expires: Sets a time constraint on the cookie. Session cookies expire when the session ends.

  • Path: Specifies the requests within the domain for which the browser should send the cookie.

    For cookies with path=/downloads, all subsequent requests to:

    • /downloads

    • /downloads/foo

    • /downloads/foo/bar will include this cookie. The browser will not send this cookie for requests to /blog or /members

  • Content: A cookie can carry multiple values simultaneously. A sever can set multiple values with a single Set-Cookie header by specifying multiple KEY=Value pairs.

    For example: Set-Cookie: Username="john"; Authenticated="1"

  • HTTP Only Flag: Ensures the browser sends the cookie only through HTTP, preventing access via non-HTML technologies like JavaScript, Flash, or Java, protecting against XSS attacks.

  • Secure Flag: Restricts the cookie to be sent only through HTTPS, enhancing security by preventing transmission in clear text.

Cookies Domain

The domain attribute plays a crucial role in determining the validity of a cookie. It, along with path, secure, and expires attributes, helps decide if a cookie should be submitted with a new HTTP request. RFC6265 distinguishes cookies set with a specified domain value from those without.

A cookie with a specified domain value will be sent if the cookie domain matches the target domain or is a suffix of the target domain.

  • Example 1: Cookie domain value = els.ptp.site, and the target domain is els.ptp.site. The cookie will be sent.

  • Example 2: Cookie domain value = ptp.site, and the target domain is els.ptp.site. The cookie will be sent because ptp.site is a suffix of els.ptp.site.

Security Implications: Lower-level subdomains can set cookies for higher domains, but the reverse is not true.

A cookie without a specified domain value assumes the host-only flag is set to true.

  • Example: If a cookie is set by a page on elsptp.site without a domain value, it will be sent only to requests matching http[s]://elsptp.site/*.

Internet Explorer Exception

  • Internet Explorer does not distinguish between cookies with specified and unspecified domain values. It interprets cookies without a domain value as if they had a domain corresponding to the target domain set in it.

The process of cookie installation involves the following steps:

  1. Login: A login page is where a session begins, and a cookie is installed in the browser.

  2. POST /login.php: The website responds with a Set-Cookie header containing the cookie details.

  3. Cookie: For subsequent requests, the browser includes the cookie in the Request header.

  • Example 1: Cookie without a domain value is sent by the web server and accepted by the browser. The cookie is available only to the target domain a.elsptp.site.

  • Example 2: Cookie with domain value .elsptp.site is sent, accepted, and sent in requests to matching URLs.

  • Example 3: Cookie without a domain value and with the path /learning is sent and accepted, available only to the target domain a.elsptp.site and path /learning.

  • Example 4: Two different cookies are accepted and stored by the browser without interfering with each other.

The browser rejects a cookie with the domain value b.elsptp.site, as it is not a suffix of the domain a.elsptp.site that sent the cookie.