As HTTP is stateless, it does not support the browser and server interact continuity. Cookies were produced to maintain continuity and state on the Web. Cookies contain a character strings which encoding relevant information about the user. Cookies are sent to the hard disk of the user or RAM through the browser during the user visists a website that using cookies. The Web server get the user's information from their cookies when the user returns later (Park & Sandhu 2000).
Cookies are used for authenticating, session tracking or state maintenance and maintaining users' specific information. Cookies allow the server to recognize that the user is already authenticated, then user can access services or perform operations that only allow logged in user (Wikipedia 2009).
2. Can the use of cookies be a security risk?
Web server could user a cookie to store user's name and credit card numbers. Although this is convenient for users, it would also a risk. As the cookies are stored and transmitted in text, they are readable by others (Park & Sandhu 2000).
Typical cookies on the Web (Park & Sandhu 2000):
All cookies are fundamentally similar in the above format. 'Domain' is the host or domain name where the cookie is valid. 'Flag' is used to specifies whether or not all machines within a given domain can access the information of the cookies. If the 'Secure' flag is on, the cookie will be transmitted only over secure communications channels such as SSL. There has a secure problem that a Web server can update contents of the cookies whenever the user visists the server. The validation is not important for cookie-issuer, as any Web server can issue cookies for other Web servers. Security risk to cookies (Park & Sandhu 2000):
- Network risk - cookies transmitted in clear text in the network, can be capture or modify by others
- end-system risk - cookies exist in the browser's end-system, it stores on the hard drive or memory in clear text. Those contents could be altered by users eaily
- cookie-harvesting - if cookies are collected by an attacker from users who accept cookies, the attacker can later use those harvested cookies for all other sites accepting them.
Reference
- Park, J.S. and Sandhu, R. (2000), Secure cookies on the web, Internet Computing, IEEE, 36-44(4).
- Wikipedia (2009), HTTP cookie, Retrieved at http://en.wikipedia.org/wiki/HTTP_cookie on 24th April, 2009
No comments:
Post a Comment