The Dangers of Improper Cookie Use

shifted89 writes "Over the last year, the security community have exposed web application security for what it is — extremely lacking. However, for all the focus on XSS, CSRF, history stealing, etc., not much attention has been given to the cookie. Unfortunately, cookie misuse can be just as dangerous, if not more so than XSS attacks and InformIT illustrates why. In short, the author clearly demonstrates what can happen when a website improperly uses cookies for customer tracking — including a working illustration."

practical, perhaps?

[fermion]

I was going to read the article until the 5th cookie was set at which point i just assumed that the entire thing was an practical lesson. Be stupid enough to read an article about cookie abuse and get caught in the trap. Sort of like trying to find a windows virus filter only to find that the virus filter has infected you.

Oh well, I guess this is just another lesson in how marketers will shoot themselves in the foot. Animated gifs are abused, so i turn animation off. Cookies are abused, so i reject any cookie that is not obviously necessary. Flash is useful, but no way to request that it does not start automatically, so either I don't install it or install a hack to block it. I don't even see the product that is being advertised.

I hope this gets everyone off thier high horse, and realize that third party cookies should be rejected on all machines by default. What I really wish existed was a screen that popped up every time you went to a new site that informed the user of the site, and asked for a cookie preference for that site. That way, all cookies could be accepted at the corporate site, and no cookies might be accepted at google.

Re:Obligatory

[Archangel Michael]

Why yes! Yes it does!

My problem is that I missed the Anonymous Coward Check box, and now, my karma has taken a hit. Sigh.

Oh well. Live and learn

How old is this article?

[Dekortage]

It says "updated Dec 15, 2006" but the comments at the end of the article are all dated from 2004. I mean, the problem is much older than that, but it seems the article was just updated with 2006 dates to make it seem more current. Or am I missing something?

Cookie on cookie misuse link

[blindcoder]

I like how the first thing the 'cookie misuse' site is doing is trying to do is to set a cookie. The 'why' remains unknown.
Other things they do is prohibit tabbed browsing by using javascript to open an image from a thumbnail to a new window. Can someone please send these guys to a usability crash-course?

I love the start of this article

[fullphaser]

As it references XSS attacks and then jumps to cookie abuse like it is something newer than XSS, I mean you know the whole web 2.0, almost everything being session and cookie based, yes turn those boogers off their dangerous, and return to the safe land of 1998 where static web pages reigned supreme. The fact is that we can't just dismiss the cookie, yes we can play safely in the field with it, but past that it is a integral part of today's web infrastructure and there is no short term replacement for it, between JS, ASP, and PHP all nearly relying on the whole concept of the cookie to validate session etc. You can't just say they are dangerous and to stop accepting them in general, and you can't just tell the web designer to stop using them, for the primary reason that it isn't practical.

Re:cookies passed as plaintext

[Xzzy]

bingo. that's why i store the IP address along with the session ID in the database.

There was a merchant site that I visited quite some time ago that did something like this. Except they screwed it up and, along with putting the session ID in the URL, they "automatically" tied the session id with account information. The effect this had was that anyone who visited a copied URL would pull up the account information of the person who had spread the URL around.

It took some time to figure it out. The URL was posted on a fairly busy forum, and it was a fairly fast selling item, and 50+ people had used the link to try and make a purchase.. and every time someone checked out, the account was updated with their information.

I'm not sure what the lesson here is, other than the fact that any "safe practice" can become insecure in the hands of idiots. Cookies aren't an inherently stupid idea, but the ease of using them invites a lot of abuses.

Re:Cookies? Javascript? Etc?

[Kelson]

I disable them all because I hate any innovation of the web past 1991.

Hmm. Animated GIFs? Check. Blink? Check. Scrolling status bar? Check. Background MIDI files? Check. Pop-ups? Check. Flash ads with full video and sound? Check. Garish color schemes? Double-check.

I think you're on to something!

Re:Obligatory

[Archangel Michael]

Okay, it is ONE of my problems. Sheesh

No need to beat a man while he's down.

Re:Cookie on cookie misuse link

[blindcoder]

if I click on the image, I expect it to open in the same or a new window. If I click with both mousebuttons, I expect it to open in a new tab.
this is not possible with javascript 'links' which may or may not do things as you would expect and certainly destroy any usage patterns you have achieved and do so without a valid reason.

Re:Cookies? Javascript? Etc?

[BLACKtactx]

Do you count CSS as an innovation??. If so, i have to disagree with you. Wouldn't it be better to word it "I hate any innovation that annoys me", instead of a blanket "any" innovation. Or maybe I should just develop all my sites in size 15 font, using framesets, in times new roman, and 16 colours. Innovation in itself is not bad, innovation for the sake of it is. The misuse of tehcnology cannot also be blamed on the technology itself but the dumb people who develop. I find javascript incredibly useful to improve my ui, some people decide to make yellow scrolling text on a magenta background, thats not javascripts issue. Dont shoot the messenger. Better go, my brick cell phone is ringing, and Im missing Magnum PI reruns.

Re:cookies passed as plaintext

[jgc7]

> bingo. that's why i store the IP address along with the session ID in the database.

How does that do anything for the example given? If someone uses a sniffer at a wireless access point with NAT, they have access to the same IP as their victim.

Firefox could do better

[brunes69]

Firefox could do better around cookies.

For example, just look at their cookie management under "privacy". Sure, they have white and blacklists for cookies, and that's fine. But bring up your cookie list - the *ONLY* option you have for each cookie is to delete.

Why isn't there are "delete and block" button? It would be SO SIMPLE to add this function, and make the management of cookies so much simpler for the 95% of web users like me who want to accept *most* cookies, and only block obvious cross-site tracking cookies.

The task of copying cookies from one list to another is very tedious. This sort of thing should be able to be automatic.

Re:Cookie on cookie misuse link

[grcumb]

care to enlighten us on the correct way [to open a new window from HTML] or do you intend to let us die dumb?

The correct way is - and always has been - to leave that to the user. Useability studies have shown time and again that new windows popping open unannounced are unwelcome, even frightening to many computer users. And the quickest way to piss off power users like me is to presume to know better than I how your site should be displayed.

This behaviour is another legacy of assuming that the entire world browses with certain versions of MSIE. The only reasonable way in that browser to keep track of multiple sites was to open links in new windows. But even then, such presumption was unwelcome to most people, even many IE users.

The only remaining (valid) use of the target attribute is in a frameset, and that monstrousity is not needed any more, what with the moderately decent CSS positioning support that is present in all modern browsers.

Re:Firefox could do better

[schwaang]

Not only that, but site list is sorted without grouping by domain. So o.nytimes.com is far away in the list from video.nytimes.com. That's just lame.