Optimistic about your portal-data transmission from the client-insecure cookies

Source: Internet
Author: User
Tags http cookie

Optimistic about your portal-data transmission from the client-insecure cookies
1. http cookie is a common mechanism for transmitting data through a client. Like hiding form fields, http cookies are generally not displayed on the screen. Compared with the url parameter method, it seems that many common users do not know where the http cookie is, and it looks much more secure. At the same time, many developers do not know where the cookie is, although we often use it. A cookie is a small text file stored in the browser of the user host. Cookies are plain text and do not contain any executable code. A Web page or server notifies the browser to store the information and returns the information to the server in each subsequent request based on a series of rules. The Web server can use this information to identify users. Most websites that need to log on usually set a cookie after passing your authentication information. Then, as long as the cookie exists and is valid, You can freely browse all the parts of the site. Again, cookies only contain data, which is not harmful to them. 2. Create a cookie: the Web server can specify to store a Cookie through the HTTP Set-cookie message header. Set-Cookie: value [; expires = date] [; domain = domain] [; path = path] [; secure] the first part of the message header, value, which is usually a string in name = value format. In fact, the original Manual indicates that the format should be used, but the browser does not verify all values of the cookie in this format. In fact, you can specify a string that does not contain equal signs and it will also be stored. However, the common usage is to specify the cookie value in name = value format (and most interfaces only support this format. If a cookie exists and the optional conditions permit, the cookie value will be sent to the server in each subsequent request. The cookie value is stored in the HTTP message header named Cookie and only contains the cookie value. All other options are removed. The options specified through Set-Cookie are only applied to the browser. Once the options are Set, they will not be retrieved by the server. The cookie value is exactly the same as the value specified in Set-Cookie. There is no closer parsing or transcoding operation for these values. If multiple cookies exist in the specified request, they are separated by semicolons and spaces. Expires specifies when the cookie will not be sent to the server, so the cookie may be deleted by the browser. The value corresponding to this option is a value in the format of Wdy, DD-Mon-yyyy hh: MM: ss gmt. When the expires option is not available, the life of the cookie is limited to a single session. The closing of the browser means the end of this session. Therefore, the session cookie only exists when the browser remains open. This is why when you log on to a web application, you often see a checkbox and ask if you choose to store your logon information: If you choose yes, then an expires option will be appended to the logon cookie. If the expires option sets a previous time point, the cookie will be deleted immediately. This attribute is very important for security and is the most important attribute besides cookie content. 3. Insecure cookies are simple in form of insecure cookies, including plaintext and weak-encrypted cookies. With the development of the times, I feel more and more cookies are used to pursue a more friendly user experience. For example, many websites use default login, which are implemented through cookies. 4. Attacked plaintext and weak-encrypted cookies are very vulnerable to attacks. Another attack method is to replace a long-term cookie of a High-Permission user with a cookie of A Low-Permission user. In this way, the low-Permission user has some permissions of the High-Permission user. If there is no suitable secondary verification in the system (currently many mainstream websites have logon passwords and payment passwords, the login passwords can be kept in cookies, if there is no payment password ....) Cookie Information is very easy to steal.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.