Internet cookies are the term given to describe a type of message that is given to a web browser by a web server. Generally, cookies are small, often encrypted text files that contain a name, value and attribute. A web server identifies cookies using its name. Value is a random alphanumeric character, and it stores data like a unique identifier to identify the user and other information. An attribute consists of characteristics, such as the expiration date, domain, path, and flags.
How do Internet Cookies work?
Cookies are created when a web browser is used to load a particular website. The website sends information to the browser which then creates a text file (the cookie). Cookies allow a website to store data regarding our activities (only on that website), so every time we go back to the same website, we can retrieve it for a more customized experience.
When we enter the letter “F” in our URL bar and it suggests “Facebook.com” along with other options, it’s the work of cookies. When we hit enter, our browser contacts Facebook’s server and requests its home page. A web browser has no memory, thus the hosted website we visit transfers the cookies of the browser onto our computer’s hard disk. If we have not visited that website before, there won’t be any cookies data stored and once we visit it for the first time it will start collecting cookies. That is how the site can remember who we are and our preferences.
A website can only receive the information it has stored on our computer. It cannot look at any other cookie, nor anything else on our machine. Additionally, Internet cookies are created not just by the website the user is visiting, but also the other websites that run ads, widgets or other elements on the page being loaded.
What Information do Cookies Store?
We have discussed previously that cookies consist of name, value and attributes. In more detail, cookies consist of the following information that can be passed to them:
- The name of the cookie
- The value of the cookie
- The expiration date of the cookie, which determines how long the cookie will remain active in our browser
- The path for which the cookie is valid — thus, web pages outside of the path cannot use the cookie
- The domain for which cookie is valid — the cookie will be accessible to pages on any of the servers when a website uses multiple servers in a domain
- The need for a secure connection which indicates that the cookie can only be used under a secure server condition
Types of Cookies
Cookies are classified into several types based on their attributes, such as the source, duration and purpose. In general, there are six types of cookies, explained as follows:
Based on Source
- First party cookies: These cookies are installed by the website that the users are currently visiting. For example, the cookies which are used by a website to determine whether a user has logged in.
- Third party cookies: These cookies are installed by other websites or third party servers that are not being visited by the users. Third party advertisers use these cookies to track the users and learn about the effectiveness of website advertisements.
Based on Duration
- Session cookies: These cookies are stored temporarily in the browser and usually expire when the user's session ends or when the user closes the browser.
- Persistent cookies: These cookies stay in the browser for a longer period. Once they are installed, they will be removed only when the cookies are expired or when the users clear them from the browser.
Based on Purpose
- Necessary cookies: These cookies are absolutely necessary for the website to function.
- Non-necessary cookies: The purpose of these cookies are to track the behavior on a browser.
Are Cookies Harmful?
The short answer is, they can be. Cookies by themselves are safe, but when exploited by attackers, can become a real threat.
Third party cookies are stored in our computer by a different website from the one that we are actually visiting. By visiting these sites, we grant permission to the other domain to create its own cookies on our device. If this domain is found across other websites that we visit, the cookies created track our browsing habits over time. The most common usage for this information is to show targeted advertisements according to our browsing habits, or for the data to be sold as part of consumer research.
While those are not entirely harmful, what we should be aware of are these other types of attacks:
- Cross Site Request Forgery Attacks (CSRF): Browsers find familiarity in cookies, and when they receive a request by a cookie that they recognize, they approve and perform an action that the user initiates. Attackers might exploit this knowledge to get you to carry out actions of their choosing by modifying the HTTP request and including the victim’s session cookie in the request. This would be a successful attack if the website or application relies solely on session cookie to authorize the user who has made the request, with no mechanism for tracking sessions or validating the user's request.Actions that can be carried out range from changing email address, changing password, transferring funds to deleting resources or even causing operational downtime.
- Cross Site Scripting Attacks (XSS)Cross Site Scripting Attacks (XSS): This attack is performed by injecting a malicious script to a vulnerable website to steal the session cookies of every visitor who visits the website and hijack their session.
- Session Fixation: This is likely to happen to an application that is vulnerable. Attackers can transplant session identifiers from the attacker’s user agent to victim’s user agent to interact with a web server.
- Cookie Tossing Attacks: Cookie tossing is a common way attackers exploit cookies. Leveraging either the path or alphabetical case of the cookie, attackers can create malicious subdomain cookies to be sent along with actual cookies of the domain. Such cookies are generally accepted by the server as they are thought to belong to the actual domain. From here, an attacker gains control of key areas in the user request, allowing them to deploy their attack over the main site.
- Cookie Overflow Attacks: While less common, attackers might identify web servers that are vulnerable to buffer overflow (too much data) attacks, and visit the site to get cookies from it. After which, they may corrupt the cookie with buffer overflow and return it to the site to process, which causes the site to crash.
What Can We Do to Avoid The Threats?
As users, we should consider using an extension that blocks tracking software or pop up ads from the web. Most browsers also offer a Do Not Track feature that will signal websites to stop the tracking of users.
When sharing computer access, we may want to set our browser to clear private browsing data every time we close it. While this may not be as secure as rejecting cookies outright, this option allows you to access cookie-based websites while deleting sensitive information after finishing the browsing session.
We should also set our browser to be updated automatically. This eliminates security vulnerabilities caused by outdated browsers. Many cookie-based exploits are executed by exploiting older browsers’ security issuesexploiting older browsers’ security issues.
On a computer-level, install and keep anti-spyware applicationsanti-spyware applications updated. They block our browsers from accessing websites designed to exploit browser vulnerabilities or download malicious software.
If you operate a web application, you may wish to consider employing tight controls on your root domainoperate a web application, you may wish to consider employing tight controls on your root domain, and cryptographically signing the cookies issued. Avoid storing session identifiers in cookies and using them for authorization. Instead, set the secure flag on cookies. It may also be worth exploring a test on your query string values to understand how cookies could be used in an attack on your site.
While it is impossible to avoid cookies while using the Internet as some are necessary for a website to function, we should be more conscious about the sites we visitwe should be more conscious about the sites we visit, and take precautions as above while browsing.