Before Moving On To The Second Part Of XSS Tutorial Let's Just Understand What Are Cookie's And What Are Their Role And Different Type's Of Cookie's
Cookies have, for some reason, gained a rather sinister image. But they really are simple and harmless. (Note that this question became so popular that HowStuffWorks now has a complete article on cookies.)
A cookie is just one or more pieces of information stored as text strings on your machine. A Web server sends you a cookie and the browser stores it. The browser then returns the cookie to the server the next time the page is referenced.
The most common use of a cookie is to store a user ID. For example, the cookie might containg the following string:
How Cookie's Work?
Here is a valid definition of a cookie: A cookie is a piece of text that a Web server can store on a user's hard disk. Cookies allow a Web site to store information on a user's machine and later retrieve it. The pieces of information are stored as name-value pairs.
For example, a Web site might generate a unique ID number for each visitor and store the ID number on each user's machine using a cookie file.
If you use Microsoft's Internet Explorer to browse the Web, you can see all of the cookies that are stored on your machine. The most common place for them to reside is in a directory called c:windowscookies. When I look in that directory on my machine, I find 165 files. Each file is a text file that contains name-value pairs, and there is one file for each Web site that has placed cookies on my machine.
You can see in the directory that each of these files is a simple, normal text file. You can see which Web site placed the file on your machine by looking at the file name (the information is also stored inside the file). You can open each file by clicking on it.
For example, I have visited goto.com, and the site has placed a cookie on my machine. The cookie file for goto.com contains the following information:
(Note that there probably are several other values stored in the file after the three shown above. That is housekeeping information for the browser.)
Amazon.com stores a bit more information on my machine. When I look at the cookie file Amazon has created on my machine, it contains the following:
The vast majority of sites store just one piece of information -- a user ID -- on your machine. But a site can store many name-value pairs if it wants to.
A name-value pair is simply a named piece of data. It is not a program, and it cannot "do" anything. A Web site can retrieve only the information that it has placed on your machine. It cannot retrieve information from other cookie files, nor any other information from your machine.
ID=96352398
Amazon.com is one site that uses this technique. When you order a book, you fill out a form with your name and address. Amazon assigns you an ID, stores your information with that ID in its database on the server, and sends the ID to your browser as a cookie. Your browser stores the ID on your hard disk. The next time you go to Amazon, the ID is sent back to the server. The server looks you up by your ID and customizes the Web page it sends back to you. The page might say, "Welcome back, Joe Smith!"
You may be wondering:
Is there any more to cookies than that? No. They are simply text strings. On my machine there is a directory called c:\windows\cookies that contains all of the cookies. They are little text files -- you can open them up and see the strings that are being saved.
Are cookies harmful? No. They are just short text strings, and they can often make browsing better by allowing a server to recall any customized information you have set.
Are cookies common? Yes. There are over 500 separate cookies on my hard disk.
Can cookies transmit computer viruses? No. They are just text strings.
Can a company read my personal information from my hard disk with a cookie? No. Only the cookie that is sent in the first place is returned to the server. It is not modified or manipulated in any way.
What is Computer/Browser Cookies? Different Types of Cookies:Session cookie
A session cookie upto certain hours,depending on website. After the session hour, it will be destroyed.
Persistent Cookie
A persistent cookie will outlast user sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason, persistent cookies are also called tracking cookies or in-memory cookies.
Secure cookie
Secure cookies are encrypted cookies. If you used HTTPS(secure Connection), then it will store the cookies in encrypted format. Even hackers steal the cookie, he is able to see only the encrypted data.
Example:
Bank websites always use Secure Cookies.
HttpOnly cookie
The HttpOnly cookie is supported by most modern browsers. On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting.[15]. It is important to realize this feature applies only to session-management cookies, and not other browser cookies.
Third-party cookie
Third-party cookies will store the cookies with another domain.
For Example:
www.example.com will store the cookies with ad.advertise12.com
At the same time, another website also set cookies with same domain.
www.othersite.com will store the cookies with ad.advertise12.com
Supercookie
A "supercookie" is a cookie with a public suffix domain, like .com, .co.in,.in.
Most browsers, by default, allow first-party cookies—a cookie with domain to be the same or sub-domain of the requesting host. For example, a user visiting www.example.com can have a cookie set with domain www.example.com or .example.com, but not .com. A supercookie with domain .com would be blocked by browsers; otherwise, a malicious website, like attacker.com, could set a supercookie with domain .com and potentially disrupt or impersonate legitimate user requests to example.com.
Zombie cookie
A zombie cookie is any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie's absence is detected.
What is the use of Cookies?Session management
Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits. Cookies were introduced to provide a way to implement a "shopping cart" (or "shopping basket"), a virtual device into which users can store items they want to purchase as they navigate throughout the site.
Personalization
Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a web site so that it may be filled in for future visits.
Tracking
Tracking cookies may be used to track internet users' web browsing habits. This can also be done in part by using the IP address of the computer requesting the page or the referrer field of the HTTP request header, but cookies allow for greater precision.
Cookies have, for some reason, gained a rather sinister image. But they really are simple and harmless. (Note that this question became so popular that HowStuffWorks now has a complete article on cookies.)
A cookie is just one or more pieces of information stored as text strings on your machine. A Web server sends you a cookie and the browser stores it. The browser then returns the cookie to the server the next time the page is referenced.
The most common use of a cookie is to store a user ID. For example, the cookie might containg the following string:
How Cookie's Work?
Cookies are programs that Web sites put on your hard disk. They sit on your computer gathering information about you and everything you do on the Internet, and whenever the Web site wants to it can download all of the information the cookie has collected. [wrong]Definitions like that are fairly common in the press. The problem is, none of that information is correct. Cookies are not programs, and they cannot run like programs do. Therefore, they cannot gather any information on their own. Nor can they collect any personal information about you from your machine.
Here is a valid definition of a cookie: A cookie is a piece of text that a Web server can store on a user's hard disk. Cookies allow a Web site to store information on a user's machine and later retrieve it. The pieces of information are stored as name-value pairs.
For example, a Web site might generate a unique ID number for each visitor and store the ID number on each user's machine using a cookie file.
If you use Microsoft's Internet Explorer to browse the Web, you can see all of the cookies that are stored on your machine. The most common place for them to reside is in a directory called c:windowscookies. When I look in that directory on my machine, I find 165 files. Each file is a text file that contains name-value pairs, and there is one file for each Web site that has placed cookies on my machine.
You can see in the directory that each of these files is a simple, normal text file. You can see which Web site placed the file on your machine by looking at the file name (the information is also stored inside the file). You can open each file by clicking on it.
For example, I have visited goto.com, and the site has placed a cookie on my machine. The cookie file for goto.com contains the following information:
UserID A9A3BECE0563982D www.goto.com/Goto.com has stored on my machine a single name-value pair. The name of the pair is UserID, and the value is A9A3BECE0563982D. The first time I visited goto.com, the site assigned me a unique ID value and stored it on my machine.
(Note that there probably are several other values stored in the file after the three shown above. That is housekeeping information for the browser.)
Amazon.com stores a bit more information on my machine. When I look at the cookie file Amazon has created on my machine, it contains the following:
session-id-time 954242000 amazon.com/ session-id 002-4135256-7625846 amazon.com/ x-main eKQIfwnxuF7qtmX52x6VWAXh@Ih6Uo5H amazon.com/ ubid-main 077-9263437-9645324 amazon.com/It appears that Amazon stores a main user ID, an ID for each session, and the time the session started on my machine (as well as an x-main value, which could be anything).
The vast majority of sites store just one piece of information -- a user ID -- on your machine. But a site can store many name-value pairs if it wants to.
A name-value pair is simply a named piece of data. It is not a program, and it cannot "do" anything. A Web site can retrieve only the information that it has placed on your machine. It cannot retrieve information from other cookie files, nor any other information from your machine.
ID=96352398
Amazon.com is one site that uses this technique. When you order a book, you fill out a form with your name and address. Amazon assigns you an ID, stores your information with that ID in its database on the server, and sends the ID to your browser as a cookie. Your browser stores the ID on your hard disk. The next time you go to Amazon, the ID is sent back to the server. The server looks you up by your ID and customizes the Web page it sends back to you. The page might say, "Welcome back, Joe Smith!"
You may be wondering:
Is there any more to cookies than that? No. They are simply text strings. On my machine there is a directory called c:\windows\cookies that contains all of the cookies. They are little text files -- you can open them up and see the strings that are being saved.
Are cookies harmful? No. They are just short text strings, and they can often make browsing better by allowing a server to recall any customized information you have set.
Are cookies common? Yes. There are over 500 separate cookies on my hard disk.
Can cookies transmit computer viruses? No. They are just text strings.
Can a company read my personal information from my hard disk with a cookie? No. Only the cookie that is sent in the first place is returned to the server. It is not modified or manipulated in any way.
What is Computer/Browser Cookies? Different Types of Cookies:Session cookie
A session cookie upto certain hours,depending on website. After the session hour, it will be destroyed.
Persistent Cookie
A persistent cookie will outlast user sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason, persistent cookies are also called tracking cookies or in-memory cookies.
Secure cookie
Secure cookies are encrypted cookies. If you used HTTPS(secure Connection), then it will store the cookies in encrypted format. Even hackers steal the cookie, he is able to see only the encrypted data.
Example:
Bank websites always use Secure Cookies.
HttpOnly cookie
The HttpOnly cookie is supported by most modern browsers. On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting.[15]. It is important to realize this feature applies only to session-management cookies, and not other browser cookies.
Third-party cookie
Third-party cookies will store the cookies with another domain.
For Example:
www.example.com will store the cookies with ad.advertise12.com
At the same time, another website also set cookies with same domain.
www.othersite.com will store the cookies with ad.advertise12.com
Supercookie
A "supercookie" is a cookie with a public suffix domain, like .com, .co.in,.in.
Most browsers, by default, allow first-party cookies—a cookie with domain to be the same or sub-domain of the requesting host. For example, a user visiting www.example.com can have a cookie set with domain www.example.com or .example.com, but not .com. A supercookie with domain .com would be blocked by browsers; otherwise, a malicious website, like attacker.com, could set a supercookie with domain .com and potentially disrupt or impersonate legitimate user requests to example.com.
Zombie cookie
A zombie cookie is any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie's absence is detected.
What is the use of Cookies?Session management
Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits. Cookies were introduced to provide a way to implement a "shopping cart" (or "shopping basket"), a virtual device into which users can store items they want to purchase as they navigate throughout the site.
Personalization
Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a web site so that it may be filled in for future visits.
Tracking
Tracking cookies may be used to track internet users' web browsing habits. This can also be done in part by using the IP address of the computer requesting the page or the referrer field of the HTTP request header, but cookies allow for greater precision.
0 comments:
Post a Comment