Prologue
The first thing that comes to your mind when you hear the name "Cookies" is, the mouthwatering snack enriched with a variety of delicious flavors. But in the field of Computer Science, it doesn't relate the same.
Technically speaking "Cookies" are a piece of information that a website holds on the user's browser. It generally stores device information, browser preferences and other user sessions in the form of key-value pairs.
Ex: PHPSESSID: xyjaez1081lze23, lang: en
Why Cookies?
Whenever you search for anything on your browser, the requested information is sent to the centralized request handler known as the Server, with the help of Protocols. Earlier when consecutive requests were made from the same network, it was difficult to distinguish them. If any person wished to continue their previous work, it was not possible as it hadn't been saved. This concern was successfully managed with the usage of Cookies.
Let's understand this with a small example.
Suppose you try to enter an organization without any ID, you'll not be allowed inside as you are not verified. But carrying a proper ID will solve the issue. So the first condition happens in the absence of cookies while the second scenario depicts the function of cookies remembering you when you visit a known place.
Cookie Attributes
domain : Specifies the domain for which the cookie is sent.
path : Specifies the path for which this cookie is sent.
secure : Used to set whether the cookie is transmitted only over an encrypted connection.
httponly : Used to set whether the cookie is exposed only through HTTP and HTTPS channels.
max-age : Used to specify the duration of the cookie.
expires : Used to set the cookie expiration date.
custom : Specifies additional attributes.
Types of Cookies
First-party cookies − Are set when users visit a website. The information gathered is used to track page views, sessions, and the number of users. Ad agencies and advertisers primarily utilize it to locate potential ad targets.
Third-party cookies − These are set by domains that the user does not visit directly. This occurs when publishers include third-party elements on their website (such as a chatbot, social plugins, or advertisements).
How to Secure Cookies?
Cookies tend to hold information such as:
User Authentication Details
User Preferences
Session History
Digital Footprint of the User
From this, you can conclude that such sensitive information is often vulnerable in the hands of hackers who can exploit them through Cookie Tracing.
To Secure them various techniques are adopted:
Using 'httponly' flag prevents XSS exploitation to a certain extent. But it can be bypassed using XST attack.
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
The presence of 'HTTPS' based communication also provides security against unwanted tracking.
The 'Same-Site' attribute of HTTP response header restricts the cookie to first-party with the help of two important attributes:
Strict : It will prohibit the redirection of the webpage to a different site
Lax : It balances security by keeping the user logged in after they come from an outside link
Conclusion
Cookies have a significant impact on rendering all sorts of services across the Internet. At the same time ensuring that the information it collects has to be monitored to avoid any leaks. A simple way of doing it is by disabling the read cookie feature from the setting of your browser or by allowing the sites to only read necessary information.
As a developer, you must check for the attributes related to web applications that you intend to use by allowing specific kinds only.
Hope you liked the content. Do pin your comments in the section below.
Also, you can connect with me here or on LinkedIn.