Cookie-related things, those rabbit things that year

Cookie-related things, those rabbit things that year

This article is intended for readers who have basic knowledge about cookies.

 

Set cookie (HTTP Response Header)

Set-Cookie: {name }={ value}; path = {path}; domain = {domain}; expires = {expires}, secure; HttpOnly;

(Multiple cookies send multiple Set-cookie headers)

 

Send cookie (HTTP Request Header)

Cookie: {name }={ value };{ name2 }={ value2} (multiple cookies are separated)

 

The Request Header Format is relatively simple.

 

Name	Cookie name
Value	Cookie value, which is implemented in some languages in the format of {key1 }={ value1} & {key2 }={ value2}
Path	The valid cookie Path. The default policies are different for different languages. For some languages, the default "/" is used, and for some languages, the default directory of the current page is used.
Domain	Valid cookie domain name. The default domain name is the current domain name. The second-level domain name can access the cookie under the primary domain name (you must use ". ", such as" .aaa.com "). A third-level domain name can access cookies under a second-level domain name, and so on. If www.aaa.com is currently accessed, and Domain is set to www.bbb.com, It is a third-party cookie (as detailed below)
Expires	Cookie validity period. The default session is not set. If the browser is closed, the cookie becomes invalid. If the expires time is earlier than the browser time, the cookie becomes invalid immediately.
Secure	With this identifier, the cookie is sent only for https requests.
HttpOnly	Indicates that the cookie can only be modified through the server, and the client js cannot be modified.

 

Cookie cross-Origin

 

• Same primary domain name

For example, www.aaa.com and bla.aaa.com set the cookie domain to ".aaa.com"

 

• Different primary domain names

For example, www.aaa.com and www.bbb.com set third-party cookies.

 

Third-party cookies

• What is a third-party cookie?

When accessing www.aaa.com, a domain = www.bbb.com cookie is set. For www.aaa.com, this cookie is a third-party

• Which scenarios require third-party cookies?

For example, two websites with different domain names do sso, such as www.tmall.com and www.taobao.com, www.sina.com and www.weibo.com.

For example, an advertising service provider tracks user behavior and recommends more appetizing Advertisements based on user browsing records (there is a risk of privacy leakage because the advertising service provider can obtain user browsing records)

 

• How?

In the example of advertising tracking, www.ccc.com is an advertising service provider. www.aaa.com and www.bbb.com want to access its ads.

1. Add a line of code to all pages: <script type = "text/javascript" src = "http://www.ccc.com: 1234/ads. aspx"> </script>

2. Www.ccc.com in ads. the next domain = www.ccc.com cookie is planted on the aspx page, so that all pages of www.aaa.com and www.bbb.com will send a cookie request to www.ccc.com when they are opened, after obtaining the cookie, www.ccc.com can differentiate users, and then obtain the address of the page that the user is browsing through referer, so that the user's browsing behavior can be grasped.

As can be seen from the above, if an advertising service provider accesses enough customers, it can grasp the majority of browsing behaviors of a user, because most of the websites browsed by this user may be customers of this service provider, and they share a cookie.

 

• Browser settings
  
  

Browser	Whether third-party cookies are supported by default	DNT settings	How to block third-party cookies
Chrome	Yes	Settings-Send "Do not trace" requests with the browser	Set-content settings-block third-party cookies and website data
Firefox	Yes	Option-privacy-this website is not required to follow you	Option-privacy-use custom history settings-accept third-party cookies-No
IE	Extra P3P Response Header required	Option-advanced-Send the "Do Not Track" request to the site you visit in IE	Option-privacy-advanced-alternative automatic cookie processing-third-party cookie-block

 

1. The default security level of IE is medium. Third-party cookies without simplified privacy policies will be blocked. For details about the P3P protocol, see http://www.w3.org/p3p /. Here is an example of P3P:
   P3P: CP = "CURa ADMa DEVa PSAo PSDo our bus uni pur int dem sta pre com nav otc noi dsp cor"

2. After DNT is set, DNT: 1 will be added to the request header. If the website complies with the DNT protocol, no third-party cookies will be planted. However, you can also choose not to comply with the rules, depending on the quality.

3. If the user sets to block third-party cookies, sorry, all third-party cookies will be invalid.

 

Cookie Security

 

Because the cookie records the user's identity, it becomes a popular target for attackers. Developers may be unable to protect their security due to their negligence.

 

The following lists the possible attack methods. For details, refer to Baidu. Do not trust cookies. do not include unencrypted sensitive information in cookies. Check the cookies before they are used, reasonable Use of secure and HttpOnly. Due to the existence of third-party cookies, sensitive operations need to be verified. Do not trust that the person being operated is the user currently logged on.

 

XSS, reflected XSS, session hijacking, CSRF attacks

 

Third-party cookie code instance (asp.net)

 

Www.ccc.com is an advertising service provider. www.aaa.com and www.bbb.com access its ads.

 

1. Modify host

   127.0.0.1 www.aaa.com www.bbb.com www.ccc.com

    

2. Www.ccc.com ads. aspx code

   Private static IDictionary <string, IList <string> histories = new Dictionary <string, IList <string> ();
   Protected void Page_Load (object sender, EventArgs e) {Response. ContentType = "text/javascript"; // if (! String. isNullOrWhiteSpace (Request. headers. get ("DNT") & int. parse (Request. headers. get ("DNT") = 1) {Response. write (@ "document. write ('the user has enabled the Do Not Track option in the browser. I pay more attention to it. I will Not follow this agreement and will only show you the advertisement of the Public version ');"); return;} var uuid = Request. cookies ["uuid"]; // third-party Cookies if (uuid = null) {uuid = new HttpCookie ("uuid") {Value = Guid. newGuid (). toString (), Domain = "www.ccc.com", Expires = DateTime. now. addYears (7 0),}; Response. cookies. add (uuid); // use the P3P protocol to increase the probability of cookie seeding. headers. add ("P3P", "CP = \" CURa ADMa DEVa PSAo PSDo our bus uni pur int dem sta pre com nav otc noi dsp cor \"");} // obtain the URL var referer = Request. headers. get ("Referer"); // record user access history if (! Histories. containsKey (uuid. value) {histories [uuid. value] = new List <string> ();} histories [uuid. value]. add (DateTime. now + ":" + referer); Response. write (@ "document. write ('<br> blabla: here we recommend the most appropriate advertisement' + 'based on your Web site. Don't ask me how to know which web site has any content, don't ask me how I know which advertisements are most suitable for you. I will tell you why I have a higher algorithm <br> '); "); Response. write (@ "document. write ('Below is your browsing record (sorry, I see something shy): <br> '); "); foreach (string history in histories [uuid. value]) {Response. write ("document. write ('"+ history +" <br> ');");}}

    

3. Code on the www.aaa.com and www.bbb.com pages

   <script type="text/javascript" src="http://www.ccc.com:1234/ads.aspx"></script>

    

4. Go to the www.aaa.com and www.bbb.com pages
   
   

 

Heterogeneous falsh cookies

 

This product is so abnormal that it is not covered in this article. If you are interested, you can Baidu

In a word, cookies can do what they do, and cookies cannot do what they do. Of course, cookies do not have any problems.