Cookie Security Research

Cookie format and composition Cookie is composed of variable names and values, similar to Javascript variables. The property contains both standard Cookie variables and variables created by the user. The variables in the property are saved in the form of "variable = value. According to Netscape, the Cookie format is as follows: Set-Cookie: NAME = VALUE; Expires = DATE; Path = PATH; Domain = DOMAIN_NAME; secure name = VALUE: this is a required part of every Cookie. NAME is the NAME of the Cookie, and VALUE is the VALUE of the Cookie. The string "NAME = VALUE" does not contain semicolons, commas, and spaces. Expires = DATE: The Expires variable is a write-only variable that determines the effective Cookie termination DATE. The value DATE must be written in a specific format: day of the week, DD-MM-YY HH: MM: ss gmt, GMT indicates this is Greenwich Mean Time. Otherwise, the system will not be able to recognize it if it is not written in this format. This variable can be saved. If there is a shortage of time, the Cookie attribute value will not be saved in the user's hard disk, but will only be saved in the memory. The Cookie file will automatically disappear as the browser closes. Domain = DOMAIN-NAME: Domain this variable is a write-only variable, which determines which Internet Domain Web servers can read the cookies accessed by the browser, that is, only the pages from this domain can use the information in the Cookie. This setting is optional. If there is a shortage of time, set the Cookie attribute value to the domain name of the Web server. Path = PATH: the Path attribute defines which paths on the Web server can obtain the Cookie set by the server. Generally, if the Path part of the URL entered by the user contains the string defined by the Path attribute starting from the first character, the browser recognizes it as passing the check. If the value of Path is "/", all WWW resources on the Web server can read the Cookie. This setting is also optional. If there is a shortage of time, the attribute value of Path is the Path name of the resource that the Web server sends to the browser. We can see that by setting the Domain and Path variables, we can effectively control the access range of Cookie files. Secure: Mark this variable in the Cookie, indicating that the browser submits the Cookie to the Server only when the communication protocol between the browser and the Web Server is encrypted and authenticated. Currently, there is only one protocol, that is, HTTPS. Cookies record session trace content in key value mode. the server uses the Response Header Set-Cookie to send COOKIE information. the format of the SET-COOKIE Response Header defined in RFC2109 is: Set-Cookie: Name = Value; Comment = value; Domain = value; Max-Age = value; Path = Value; secure; Version = 1 * DIGIT; Name Is the Cookie Name and Value is its Value. name = Value attribute Value pairs must first appear. Attribute-Value pairs after this can appear in any order. in the Servlet specification, the cookie name used for session tracking must be JSESSIONID, and the Comment attribute is optional, because the Cookie may contain other user-related private information. this attribute allows the server to describe how to use the Cookie. You can check the message and decide whether to add or continue the session. The Domain attribute is also optional. it is used to specify the domain in which the Cookie is valid. the specified domain must start with a period (.) to start. the Max-Age attribute is optional and is used to define the Cookie survival time, in seconds. if this time is exceeded, the client will discard the cookie. if the specified number of seconds is 0, the cookie should be discarded immediately. the Path attribute is optional and is used to specify the URL subset under which the cookie is valid. the Secure attribute is required. Its value is a decimal number, which identifies the version of the cookie according to the state management specification. for example, set-cookie: uid = zhangsan; Max-Age = 3600; Domain = .sun.org; Path = s; Version = 1 indicates a cookie named uid with the value of zhangsan. the survival time is 3600 seconds, which is valid under the bbs path in the sunxin.org domain. after 3600 seconds, the client will discard the cookie. when IE receives the above response You can choose to accept or reject the cookie after the header. if the ID accepts this cookie, the next time the browser sends a request to www. madman. when the resource in the in path is used, the following request header is also sent: cookie: uid = zhangsan. instance: For cookie-Based Replay, copy the Firefox cookie on the machine to the Firefox path on the other machine and access the website recorded by the cookie again. You do not need to enter a password. Note: For Windows users, you can Enter the configuration folder through the following methods, click "Start> Run...", Enter % AppData % \ Mozilla \ Firefox \ Profiles, and press Enter. For Linux users, start a virtual terminal and enter cd ~ /. Mozilla/to enter the Firefox configuration folder. Profiles is the Personal Configuration folder of Firefox. You only need to copy the cookie-related files (files containing cookies in strings) to the profiles folder of another machine. A Cookie is generated by the server and sent to the User-Agent (usually a browser). The browser saves the Cookie keyalue to a text file in a directory, the Cookie is sent to the server when the same website is requested next time (provided that the browser is set to enable the cookie ). The Cookie name and value can be defined by the server. for JSP, jsessionid can be directly written, so that the server can know whether the user is legal and whether to log on again. The purpose server can filter and regularly maintain the information contained in Cookies to determine the status during HTTP transmission. The most typical application of Cookies is to determine whether a registered user has logged on to the website. The user may be prompted to determine whether to keep the user information during the next visit to simplify the logon procedures, these are the functions of Cookies. Another important application scenario is "Shopping Cart. Users may select different items on different pages of the same website within a period of time. These information will be written into Cookies so that information can be extracted during the final payment. The life cycle Cookie can maintain the login information to the user's next session with the server. In other words, the user will find that the user has logged on without entering the user name and password (of course, users cannot delete cookies manually ). Some cookies are deleted when the user exits the session, which can effectively protect personal privacy. When a Cookie is generated, an Expire value is specified. This is the Cookie life cycle. During this period, the Cookie is valid and will be cleared if it exceeds the cycle. Some pages set the Cookie lifecycle to "0" or a negative value, so that when the page is closed, the Cookie will be cleared immediately, and user information will not be recorded, making it safer.