Web Cookies

Stateful Browsing and it’s Security Implications

A little Cookie History

Before the web cookie, websites had no way of storing relevant information about its customers and thus made creating commercial websites difficult because of the lack of information needed to facilitate customer relations. The cookie was invented in 1994 by Lou Montulli, who at the time was an employee at Netscape Communications. Netscape was tasked with finding a way to retain customer data without having to store it on company servers, which led to the idea of storing each customer’s data on their own computers. This effectively allowed websites to track the behavior of their users and improve the user experience. After the creation of the cookie, they became a must-have feature of every commercial website. Although cookies had been widely used, it was not until three years after the invention of the cookie that the public actually learned about what cookies are and it immediately raised concerns within the security community and also caught the attention of the media because of the obvious potential security implications.

Why Cookies?

Cookies are a way for websites to get to know their customers. Each cookie stores some information about each of its user’s to remember and identify every returning user. This is great for improving the user experience because users do not have to constantly perform actions that they’ve probably done many times before, for example logging into their accounts or adding an item back into the shopping cart. By remembering who you are, websites using cookies can provide a personalized user experience. There are several types of cookies that are used:

First-party cookies: first-party cookies are the cookies created and used by the main website a user visits. They are used to collect analytical data about the users that visit there to site to improve the user experience.

Third-party cookies: third-party cookies are cookies that are collected by websites that are not meant for the site your on, for example, websites with ads from other domains. These are commonly used for ad-targeting.

Session cookies: Session cookies are used to collect information about any given session created by the user and the server. These cookies are commonly used by e-commerce websites and they allow a user to remain logged into their account for a certain amount of time and also keep track of any of the actions performed on the website by the user. Session cookies are stored in memory and are never stored on disk. This means that when you close your browser, these cookies are destroyed.

Persistent cookies: persistent cookies are those that “persist” within your browser long after their creation. The website determines how long these cookies will be valid for. For example, Google’s persistent cookies last up to six months. These cookies reside on disk after the browser session is closed, obviously giving it it’s persistent quality.

Secure cookies: secure cookies are web cookies that have the Set-Cookie header attribute enabled in order to make HTTP requests. Only requests that are made over secure HTTP channels (HTTPS) will be transmitted to the recipient server.

On Cookie Security

There are many security issues regarding the web cookie. The major topic most discussed regarding cookies is privacy. Because cookies can be used to monitor the behavior of the user across many domains, cookies introduce a way for companies to essentially track you across the Internet. User profiling system’s have been designed based on the information they can extract from cookies. These profiling system’s allow websites to serve information to the user based on private information such as browsing history or viewed content. Cookies also pose a risk to the authentication factor of a website. Cross-Site Scripting attacks (XSS) can be weaponized to steal user cookies and authenticate to a service on behalf of these stolen cookies. Cookies can also be used in Cross-Site Request Forgery (CSRF) attacks to deceive a user into inadvertently performing an action on a service with the identity associated with the cookie, such as change the users password or send money to an adversary controlled service. Below is an example of how one can login to someone else’s account, solely by obtaining the victim’s cookie (NOTE: in the real world the cookie would have to be obtained by MITM or an attack such XSS, but in this example I simply copied a user’s cookie for demonstration purposes).

Abusing Cookie Example

Signing up with an account, with the credentials of “alice:alice”

Displaying alice’s cookie in the Developer’s console by retrieving the value of the document.cookie variable and then copying it to attempt to login as alice.

Setting alice’s copied cookie in our current session which is not login into any account, and then refreshing the page to see if we login as alice.

After setting alice’s cookie and refreshing our page we successfully logged in as alice!

The Cookie Trade-off

There is always a trade-off between the convenience and security of an application or system; increasing one, decreases the other. The web cookie is a great example where one must decide between convenience and security. Would you rather be able to navigate websites faster for the price of third-party sites being able to track you online or would you prefer to be as safe as possible while browsing the Internet, with a lacking user experience? I, personally, prefer the latter. I use Google Chrome, and I have enabled a feature that removes all of my cookies and site data after quitting Chrome. I am sure other browsers have similar features but if you would also like to enable this behavior in your Chrome browser setup:

  • click on the three dots at the upper right corner of your browser window
  • click on `Settings`
  • go to the `Privacy and security` section
  • click on `Cookies and other site data`
  • click on `Clear cookies and site data when you quit Chrome`

Pythonista & Gopher | <OSCP> <CySA+> <Security+> | Part-time Cybersecurity Instructional Associate @ Fullstack Academy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store