All About Cookies
Here you can find information about Internet Cookies. Enjoy!!
What are They?
A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser, it will send the cookie too. With PHP, you can both create and retrieve cookie values.
Why/when it is appropriate to use
A cookie is often used to identify a user and track the user across multiple pages. They are designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember pieces of information that the user previously entered into form fields, such as names, addresses, passwords, and payment card numbers.
Security considerations
When a website uses cookies to identify a session, attackers can mimic a users' by stealing a set of the users' cookies. Because of this, the request from an attacker has the same authentication as the user's requests. So, the request is performed on behalf of the user.
Traffic on a network can be seen and read by computers on the network other than the sender and receiver. Attackers can read the communications of other users on the network for the purpose of a man-in-the-middle attack. This is called Network eavesdropping. An attacker could use tapped cookies to imitate a user to perform a malevolent task. This issue can be avoided by fortifying the communication between the user's computer and the server by using HTTPS protocol to encrypt the connection.
When an attacker is able to cause a DNS server to cache a faked DNS entry (called DNS cache poisoning), then this could allow the attacker to retrieve a user's cookies. The severity of this attack can be lessened if the target website uses secure cookies, which would help discourage users from visiting the attacker's falsified website, sending the attacker their cookies.
Cookies can also be stolen using a tactic called cross-site scripting. This occurs when an attacker takes advantage of a website that lets its users post unfiltered HTML and JavaScript content. By posting their own HTML and JavaScript code, the attacker can cause the user's web browser to send the user's cookies to a website the attacker controls. These attacks can be lessened by using HttpOnly cookies. These cookies cannot be used by client-side scripting languages, preventing the attacker from collecting these cookies.
There were security holes in the XMLHttpRequest API in older versions of many browsers. This API allows pages to specify a proxy server that would get the reply. The same-origin policy allows a Web browser to run scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin (same Uniform Resource Identifier scheme, host name, and port number). This proxy server is not subject to this policy, allowing any script to run. This attack would not work with secure cookies, since they only use HTTPS connections, and HTTPS uses end-to-end encryption. The proxy server would only see the raw, encrypted bytes of the HTTP request.
Cookiejacking is where an attacker can gain access to session cookies of an Internet Explorer user. The hack allows an attacker to obtain a cookie from any site, gaining the username and password in the process. This is done by deceiving a user into dragging an object across the screen.
Links to resources demonstrating/explaining use
"What Are Cookies? And How They Work | Explained for Beginners!" YouTube, uploaded by Create a Pro Website, Aug 31, 2019, https://www.youtube.com/watch?v=rdVPflECed8 Accessed 11/9/2020.
Wikipedia contributors. "HTTP cookie." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 8 Nov. 2020. Web. 10 Nov. 2020.https://en.wikipedia.org/wiki/HTTP_cookie