The Dangers of Improper Cookie Use

shifted89 writes "Over the last year, the security community have exposed web application security for what it is — extremely lacking. However, for all the focus on XSS, CSRF, history stealing, etc., not much attention has been given to the cookie. Unfortunately, cookie misuse can be just as dangerous, if not more so than XSS attacks and InformIT illustrates why. In short, the author clearly demonstrates what can happen when a website improperly uses cookies for customer tracking — including a working illustration."

Old News

[MyLongNickName]

Cookie misuse has been chronicled here [bbc.co.uk]

Remember..

[Swimport]

Cookies go in the mouth not the nose.

Re:

[sharkey]

Such a tender, heartwarming account of someone bettering himself. What they don't show is the agonizing struggle he went through. [youtube.com]

Cookies? Javascript? Etc?

[Anonymous Coward]

I disable them all because I hate any innovation of the web past 1991. Anyone who disagrees with me is wrong. This article is proof.

Re:

[Anonymous Coward]

Really? I'm the opposite.

As Scott McNealy once said, "Privacy is dead, deal with it". I've extended that to security which is why I enable javascript and install the binary-only flash player which is configured to auto execute bytecode from any server on the web. In my vision of the future, anybody with disabilities, privacy concerns, security concerns or who is running something other than Windows isn't worth bothering with. Viva innovation, especially from Microsoft!

OT, Scotty..... Re:Cookies? Javascript? Etc?

[mrmeval]

So where did Scott post his social security number, credit card numbers, drivers license number, license plate number, employee id number, his entire medical history, his entire school records, how many times he visits a whore, and a digital copy of his finger prints, retnal pattern and DNA.

Re:Cookies? Javascript? Etc?

[Kelson]

I disable them all because I hate any innovation of the web past 1991.

Hmm. Animated GIFs? Check. Blink? Check. Scrolling status bar? Check. Background MIDI files? Check. Pop-ups? Check. Flash ads with full video and sound? Check. Garish color schemes? Double-check.

I think you're on to something!

Re:Cookies? Javascript? Etc?

[kalaf]

High resolution porn? No wait, I take it back!

Re:

[mabinogi]

There's nothing in the original specs for HTML and HTTP that prevents that ;)

Re:

[MillionthMonkey]

Well maybe you weren't downloading porn in 1991 but some of us were already busy gluing uuencoded ladies back together.

Re:

[McFadden]

Hmm. Animated GIFs? Check. Blink? Check. Scrolling status bar? Check. Background MIDI files? Check. Pop-ups? Check. Flash ads with full video and sound? Check. Garish color schemes? Double-check.

Seriously... Enough about myspace...

Re:Cookies? Javascript? Etc?

[BLACKtactx]

Do you count CSS as an innovation??. If so, i have to disagree with you. Wouldn't it be better to word it "I hate any innovation that annoys me", instead of a blanket "any" innovation. Or maybe I should just develop all my sites in size 15 font, using framesets, in times new roman, and 16 colours. Innovation in itself is not bad, innovation for the sake of it is. The misuse of tehcnology cannot also be blamed on the technology itself but the dumb people who develop. I find javascript incredibly useful to improve my ui, some people decide to make yellow scrolling text on a magenta background, thats not javascripts issue. Dont shoot the messenger. Better go, my brick cell phone is ringing, and Im missing Magnum PI reruns.

Re:

[laffer1]

How about the img tag? I think all of us can think of many uses of pictures on the internet. Hell I kept AOL as a teen to look at porn. :)

Cookies aren't all bad. Most people associate then with ads, but they also allow a stateless protocol to work with login type websites. I couldn't imagine the web without e-commerce or the ability to pay my discover card online. They could have been implemented better or differently, but that's true of all computer technologies. Just remember when working with cooki

You lie! FUD! FUD!

[fm6]

If you were really that old-fashioned, you wouldn't have to disable JavaScript. The graphical web browser was invented in 1992, so you'd be compelled to use a text-only browser, such as Lynx. And those don't have any JavaScript to disable.

You are obviously part of an Evil Conspiracy. Please rant some more so I can figure out which one.

Re:

[rucs_hack]

strictly speaking lyx doesn't count either. It also renders many web page elements that only exist because of graphical browsers.

Re:

[fm6]

You can always run the 1991 version.

Re:

[rucs_hack]

you crazy foo!

Re:

[evilviper]

I disable them all because I hate any innovation of the web past 1991.

You kids and your web...

I want my gopher sites back.

Re:

[sco08y]

I disable them all because I hate any innovation of the web past 1991. Anyone who disagrees with me is wrong. This article is proof.

Screw the web, I'm posting over a gopher gateway.

Obligatory

[Archangel Michael]

Me Like Cookies! - Cookie Monster

Re:

[Archangel Michael]

Why yes! Yes it does!

My problem is that I missed the Anonymous Coward Check box, and now, my karma has taken a hit. Sigh.

Oh well. Live and learn

Re:Obligatory

[Archangel Michael]

Okay, it is ONE of my problems. Sheesh

No need to beat a man while he's down.

What about clipboard theft?

[mongus]

If you think that's bad try going to a page like this [scriptingmagic.com] with IE after copying and pasting sensitive information.

Re:

[geobeck]

From that site:

Did you know that by default Internet Explorer allows any website to obtain the current contents of your clipboard? This isn't a bug, Microsoft considers it a feature.

Damn Microsoft for removing features in IE7!

Re:

[kalirion]

I went to that site with IE6, and it worked as advertised.

cookies passed as plaintext

[brunascle]

Second, cookies are passed as plaintext unless there is an encrypted session. As a result, anyone with a sniffer can capture the cookies contents and use them as their own.

bingo. that's why i store the IP address along with the session ID in the database.

Re:

[multipartmixed]

That's bitten me a few times with AOhelL users... their proxy sometimes dynamically changes.

Mind you, nobody's bitched about it in a couple of years now. Maybe their proxies are smarter now?

Re:

[brunascle]

yeah, i knew that was going to happen going forward, but it's a small price to pay to eliminate a rather large vulnerability. and i have yet to hear any complaints.

Re:

[adnonsense]

When I faced that problem, I made the IP check only consider the first 2 octets of the IP address, and compared the user agent too. By no means watertight, but was enough to stamp out some casual abuse with a minimum of effort.

Re:cookies passed as plaintext

[Xzzy]

bingo. that's why i store the IP address along with the session ID in the database.

There was a merchant site that I visited quite some time ago that did something like this. Except they screwed it up and, along with putting the session ID in the URL, they "automatically" tied the session id with account information. The effect this had was that anyone who visited a copied URL would pull up the account information of the person who had spread the URL around.

It took some time to figure it out. The URL was posted on a fairly busy forum, and it was a fairly fast selling item, and 50+ people had used the link to try and make a purchase.. and every time someone checked out, the account was updated with their information.

I'm not sure what the lesson here is, other than the fact that any "safe practice" can become insecure in the hands of idiots. Cookies aren't an inherently stupid idea, but the ease of using them invites a lot of abuses.

Re:cookies passed as plaintext

[jgc7]

> bingo. that's why i store the IP address along with the session ID in the database.

How does that do anything for the example given? If someone uses a sniffer at a wireless access point with NAT, they have access to the same IP as their victim.

Re:

[panaceaa]

Security is not absolute, and there's lots of ways to get a cookie besides having root somewhere along a person's network uplinks. Security IS about making things harder for people, and I controversially (though pretty firmly) believe that locking a cookie down to an IP address is a great idea. It may not work as well for people behind a large corporate network, or a rooted machine behind the same NAT as a victim user, but sending a request out from a specific IP address is usually a big step to overcome

doing that also nicely blocks AOL users

[bigtrike]

bingo. that's why i store the IP address along with the session ID in the database.

That has the convenient side effect of making your site not work for AOL users or anyone else behind a balanced proxy

Re:

[budgenator]

why not send a few random characters in a hidden field as an nounce and a md5sum of the session ID and the nounce, then you can stop most sesion hijacks as well. Give the nonce and checksum a reasonable sounding name and no one would connect the dots.

Re:

[Doctor Memory]

Great, another site I can't visit when I'm at The Client From Hell. TCFH, among other endearing practices, sets DHCP leases to expire every fifteen minutes. As you might imagine, this makes downloading large patches or updates "eventful"...

Re:

[daeg]

How do you figure? He's storing the public-facing IP, not the private address.

How does this break?

(Of course it does break for anyone using anonymizer-type services)

Re:

[brunascle]

If I can sniff your http traffic, I can also spoof your IP.

and how would you get the returned packets, if my server is sending them to the IP you're trying to spoof?

Re:

[brunascle]

yup, that's true. and as someone else pointed out, if you and the victim were both behind the same NAT, you could have the same public IP address anyway. so it obviously isnt perfect, but it's better than nothing.

and, other than forcing SSL for the entire site, i cant think of anything better.

practical, perhaps?

[fermion]

I was going to read the article until the 5th cookie was set at which point i just assumed that the entire thing was an practical lesson. Be stupid enough to read an article about cookie abuse and get caught in the trap. Sort of like trying to find a windows virus filter only to find that the virus filter has infected you.

Oh well, I guess this is just another lesson in how marketers will shoot themselves in the foot. Animated gifs are abused, so i turn animation off. Cookies are abused, so i reject any cookie that is not obviously necessary. Flash is useful, but no way to request that it does not start automatically, so either I don't install it or install a hack to block it. I don't even see the product that is being advertised.

I hope this gets everyone off thier high horse, and realize that third party cookies should be rejected on all machines by default. What I really wish existed was a screen that popped up every time you went to a new site that informed the user of the site, and asked for a cookie preference for that site. That way, all cookies could be accepted at the corporate site, and no cookies might be accepted at google.

Re:

[blindcoder]

My mozilla from a year-or-so ago has this setting where it ask you about each cookie being set. it can then remember the setting for this website.
Maybe you should learn about or change your browser.

Edit - Preferences - Privacy & Security - Cookies
Here Check 'Allow Cookies based on privacy settings' and 'Ask for each cookie'.

Also, for flash, google for flashblock. Nice plugin, disables all flash and replaces it with a 'play' button. You can then click on that button to show the flash.

Re:

[FireFury03]

My mozilla from a year-or-so ago has this setting where it ask you about each cookie being set. it can then remember the setting for this website.
Maybe you should learn about or change your browser.

For some crazy reason, FireFox 2 has now removed this option - I had to go poking around in about:config to turn it back on. :(

Re:

[aaronl]

On my Firefox 2 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)), I definitely have that option. It's in Preferences, Privacy, "Keep Until: ask me every time".

Re:

[Yazeran]

Oh well, I guess this is just another lesson in how marketers will shoot themselves in the foot. Animated gifs are abused, so i turn animation off. Cookies are abused, so i reject any cookie that is not obviously necessary. Flash is useful, but no way to request that it does not start automatically, so either I don't install it or install a hack to block it. I don't even see the product that is being advertised.

Well just use Firefox with the Adblock and Flashblock extensions (ok addblock does not fix flash

Re:

[M. Baranczak]

In my opinion Adblock and Flashblock are the two most important reasons to use Firefox.

Mine too. You don't even realize how annoying those Flash ads are until you use FlashBlock for a few months, then go use a browser that doesn't have it.

Firefox could do better

[brunes69]

Firefox could do better around cookies.

For example, just look at their cookie management under "privacy". Sure, they have white and blacklists for cookies, and that's fine. But bring up your cookie list - the *ONLY* option you have for each cookie is to delete.

Why isn't there are "delete and block" button? It would be SO SIMPLE to add this function, and make the management of cookies so much simpler for the 95% of web users like me who want to accept *most* cookies, and only block obvious cross-site trackin

Re:

[schwaang]

Not only that, but site list is sorted without grouping by domain. So o.nytimes.com is far away in the list from video.nytimes.com. That's just lame.

Re:

[evilviper]

In my opinion Addblock and Flashblock are the two most important reasons to use Firefox.

If you use NoScript (which you should to stop dangerous and irritating javascript code), you don't need Flashblock.

Re:

[nekokoneko]

What I really wish existed was a screen that popped up every time you went to a new site that informed the user of the site, and asked for a cookie preference for that site. That way, all cookies could be accepted at the corporate site, and no cookies might be accepted at google.

Actually, Konqueror does that if you set it up to ask what to do when you receive a cookie. I fiddled around with Firefox and couldn't find a way to do it, but maybe messing around with Network.cookie.cookieBehavior [mozillazine.org] and Network.c [mozillazine.org]

Re:

[Arkhan]

fermion: What I really wish existed was a screen that popped up every time you went to a new site that informed the user of the site, and asked for a cookie preference for that site. That way, all cookies could be accepted at the corporate site, and no cookies might be accepted at google.

This is easily configurable behavior in IE6 (possibly earlier - I can't recall). Tools->Internet Options->Privacy->Advanced.

I keep mine set to third-party reject, first-party prompt, always accept session cook

Re:

[Crayon Kid]

Trust me, you DON'T want a popup dialogue for every cookie. There are Firefox extensions (such as Cookie Button) which let you customize cookie setting per-site. Together with a default of "enforce session expiration for this site", all is well.

You can't really browse the web with cookies completely disabled. I have extensions that can block both cookies and JavaScript completely. I can live without JS, but I've discovered I can't with blocking all cookies by default. So now the default is session. It's ok,

Re:

[PCM2]

Sort of like trying to find a windows virus filter only to find that the virus filter has infected you.

Where the hell do you live? Soviet Russia?

Re:

[ben there...]

Or you can use "Permit Cookies" with FireFox and still read it without getting/giving any cookies if you want ;-)

I'm with you on that, regardless of its, umm, ambiguous name. Block by default, Alt-C to allow.

The alternative, asking on every site, would be very annoying.

How old is this article?

[Dekortage]

It says "updated Dec 15, 2006" but the comments at the end of the article are all dated from 2004. I mean, the problem is much older than that, but it seems the article was just updated with 2006 dates to make it seem more current. Or am I missing something?

Re:

[locokamil]

If the site used cookies, we would know.

Cookie on cookie misuse link

[blindcoder]

I like how the first thing the 'cookie misuse' site is doing is trying to do is to set a cookie. The 'why' remains unknown.
Other things they do is prohibit tabbed browsing by using javascript to open an image from a thumbnail to a new window. Can someone please send these guys to a usability crash-course?

Re:Cookie on cookie misuse link

[J0nne]

Other things they do is prohibit tabbed browsing by using javascript to open an image from a thumbnail to a new window.

I can't believe how common that still mistake still is.
It's not like it's hard to use the following instead:
<a href="image.jpg" onclick="popup(this.href);return false;">link</a>...

Re:

[Crayon Kid]

I can't believe how common that still mistake still is.
It's not like it's hard to use the following instead:
link [slashdot.org]

You do know that window.popup() works in IE only, right?

Re:

[J0nne]

I didn't know IE had a built-in function called popup (I use Firefox for everything). popup(element) in my example would be a custom function that uses window.open to open the href attribute of the anchor.

I just used that example for clarity, and to make a point that it pisses me off too that some web developers don't want to go through the trouble of providing a real link to images while there's no technical reason to not do that.

Besides, I wouldn't even write the thing inline, but use something like

Re:

[LanMan04]

or just use the target parameter like everyone else.

Depricated! Not valid XHTML!

Re:Cookie on cookie misuse link

[grcumb]

care to enlighten us on the correct way [to open a new window from HTML] or do you intend to let us die dumb?

The correct way is - and always has been - to leave that to the user. Useability studies have shown time and again that new windows popping open unannounced are unwelcome, even frightening to many computer users. And the quickest way to piss off power users like me is to presume to know better than I how your site should be displayed.

This behaviour is another legacy of assuming that the entire world browses with certain versions of MSIE. The only reasonable way in that browser to keep track of multiple sites was to open links in new windows. But even then, such presumption was unwelcome to most people, even many IE users.

The only remaining (valid) use of the target attribute is in a frameset, and that monstrousity is not needed any more, what with the moderately decent CSS positioning support that is present in all modern browsers.

Re:

[Arker]

You're currently at +4 insightful and I'd happily put you up to +5 if I could. There are very few posts that deserve +5 IMOP but you really hit the nail on the head. Well done.

Re:

[ben there...]

I believe not allowing target= anymore has more to do with semantic web stuff. It's presentation/functionality, and doesn't belong in the HTML (in theory). What it really means, though, is everyone will use annoying javascript like the one mentioned a few parents up for a while, until they all figure out that you can apply the javascript to certain classes or rels.

Btw, popup windows do have their purposes, such as music players that should remain running even while you're browsing other pages, or in some ca

Re:

[ben there...]

Hmm...you're right. It's* a step towards the Semantic Web, but only a subset. Maybe referring to it as MVC would have been more appropriate. Anyway.

* I know the correct usage of its and it's, but I still have to consciously think about which one to use. It doesn't come naturally to me. That time fell into the 5% I don't catch.

Re:

[blindcoder]

if I click on the image, I expect it to open in the same or a new window. If I click with both mousebuttons, I expect it to open in a new tab.
this is not possible with javascript 'links' which may or may not do things as you would expect and certainly destroy any usage patterns you have achieved and do so without a valid reason.

I love the start of this article

[fullphaser]

As it references XSS attacks and then jumps to cookie abuse like it is something newer than XSS, I mean you know the whole web 2.0, almost everything being session and cookie based, yes turn those boogers off their dangerous, and return to the safe land of 1998 where static web pages reigned supreme. The fact is that we can't just dismiss the cookie, yes we can play safely in the field with it, but past that it is a integral part of today's web infrastructure and there is no short term replacement for it, between JS, ASP, and PHP all nearly relying on the whole concept of the cookie to validate session etc. You can't just say they are dangerous and to stop accepting them in general, and you can't just tell the web designer to stop using them, for the primary reason that it isn't practical.

Re:

[Shados]

the problem isn't even javascript or cookies. Its that making web sites was marketed as something easy, when in practice, web apps are significantly more difficult to make than desktop applications (at least if you don't half ass them). So you have a ton of people claiming to be web experts, that don't know how all these technologies work... The technologies are decent at what they do, as long as the average skill of those who use them is greater than your typical 6th grader...

Re:

[Shados]

Yup. Symmetric encryption of the cookies, on top of SSL enabled, for the win. That tends to be good enough for a lot (not all) purposes, as then the cookie is semi-temper proof.

Re:

[evilviper]

You can't just say they are dangerous and to stop accepting them in general,

Yes I can.

and you can't just tell the web designer to stop using them, for the primary reason that it isn't practical.

Yes I can, and yes it is.

Maybe

[RAMMS+EIN]

``"Over the last year, the security community have exposed web application security for what it is extremely lacking. However, for all the focus on XSS, CSRF, history stealing, etc., not much attention has been given to the cookie.''

Maybe that's because the dangers of cookies have been known for AGES?

Worse and worse

[Dracos]

Cookie abuse reached new heights a few weeks ago when top sites in Google search results throw cookies on the search results page. So far it's not a guaranteded occurance, and only happens for the top search result. Still, it's jumping the gun.

I can't wait for the Mozilla devs to clean up their cookie code so that blocking cookies is as easy and configurable as blocking images. Even being able to prompt to block everything other than a session cookie would be a nice improvement.

Re:

[i.r.id10t]

Blank your cookie file, login, etc. to the sites you want to have cookies on, close browser, make cookies.txt readonly, enjoy.

Re:Worse and worse

[afidel]

That's because your browser is pre-downloading the content from those sites, so yeah they are going to send their normal cookies. Turn off the preload feature and problem solved.

Re:

[Dracos]

I keep a somewhat comprehensive (18,000 line) hosts file on my machine, and have for a few years now. I don't get barraged with as many cookies (or banners) as most people.

This cookies-in-the-results behavior isn't a pre-fetch issue. It started well after I switched (from Mozilla) to Firefox 1.5.x in August, maybe in the last month or so.

Other key features for cookie blocking are to block cookies from domains other than the window's URI, and block cookies returned from non text/* or application/* mime

Re:

[evilviper]

I can't wait for the Mozilla devs to clean up their cookie code so that blocking cookies is as easy and configurable as blocking images.

It already is...

For images, you have Adblock.

For cookies, it's "Cookie Button" https://addons.mozilla.org/firefox/1247/ [mozilla.org]

Or in the status bar: https://addons.mozilla.org/firefox/1328/ [mozilla.org]

The Real Danger of Improper Cookie Use

[MrCopilot]

The Real Danger of Improper Cookie Use:

Two Words: Crumby Milk

Thank You and Tip your Servers.

Obligatory Simpsons reference....

[Illusion2269]

Mindy: What's wrong?
Homer: Oh, yeah, like you don't know. We're gonna have sex!
Mindy: Oh...well, we don't have to.
Homer: Yes we do! The cookie told me so.
Mindy: Well...desserts aren't always right.
Homer: But they're so sweet!

OMG cookie misuse!

[suv4x4]

There are way more subtle ways to misuse cookies than demonstrated here.

This article shows us that you shouldn't let people in only by username without their password. Well duh.

What's the big deal?

[smooth wombat]

I read the article and the author talks about the usual stuff: what cookies are, what they contain and how they track you. Then he goes on to say that since some of the cookies expire in 2009, a lot of information could be collected on you during this time.

As is said everytime the issue of cookies comes up, DELETE THEM! You don't need to keep them.

Once you delete them, you're a new, unique visitor to a web site. You screw with their statistics since they think you're someone new, thus increasing their ad

Deleting Cookies Automatically

[Kelson]

Firefox and Opera both make it easy to automatically delete cookies.

In Firefox, go to Tools->Options* and select Privacy. In the Cookies section, change "Keep until:" to "I close Firefox." Voila! All cookies will be deleted automatically whenever you close Firefox. Plus, by clicking on the "Exceptions..." button, you can set a list of sites for which you want to remember your cookies. Alternatively, you can use the Clear Private Data feature, but wipes all cookies, even the ones you've listed under

More "Cookie Monster" Hysteria

[Doc Ruby]

The "friendly" article does start off sensibly, mentioning that "Cookies are not programs, they can't read your personal data, and they don't cause spam.". OK, main scary cookie myths put aside.

FTFA:

This value pair is my personal identification code that can be used to track my movements across the internet and build a profile about my surfing habits. This is possible because a cookie can be read at any time by the domain that owns it. As a result, when I visit Slashdot.org, doubleclick.net will attempt to read its cookie that is on my computer. This will provide doubleclick.net with my id value, and their database will be updated. In other words, they now know that I like to visit Informit.com and Slashdot.org. Already their profile on my surfing habits can tell them I am probably a computer geek.

That section about the "personal identification code" talk is very weaselly. It makes cookies sound like any website can read a cookie on your computer that's flagged as "owned" by that website at any time. Cyrus Peikari and Seth Fogie (article authors) leave out the important, necessary link: the DoubleClick cookie can be read only when your computer makes an outgoing HTTP connection to DoubleClick. Like when a DoubleClick banner ad is included in a Slashdot page's HTML. Which HTTP request includes a CGI param (REFERER) pointing to the Slashdot page from which the IMG tag instructed the computer to pull the DoubleClick banner image. That's how Doubleclick gets its cookie, and the context that you visited a Slashdot page.

DoubleClick cannot read its cookie any other time, when there's no HTTP connection from your computer to DoubleClick. Like all the rest of the pages on which DoubleClick has no banner or other "self-clicking" link. There are web bugs, invisible images tags embedded in other pages just to hit their server with the REFERER of the page triggering their bug, updating your computer's cookie with their counter (etc). But they cannot be read "at any time".

Besides, the cookie is a nonessential part of this snooping. DoubleClick doesn't need to keep its counter on your computer - the IMG hit can update its server-side counter DB. It can ID you, though not as precisely, by your IP# and other CGI parameters you send with every HTTP request. Or DoubleClick's deal with, say, Slashdot, is that Slashdot encode the DoubleClick banner IMG tags the Slashdot server sends you with its pages with a unique ID, like your Slashdot userid. ACs and public terminals mostly escape, but they're not really targets for these marketdroids.

And you can turn off cookies in any non-retarded browser, making them anonymous (encoded IMG URLs are much harder - see?). And you can inspect the cookies stored on your computer.

All these issues were discussed in great detail by the HTTP Working Group as we invented cookies, almost a decade ago. Some people were philosophically opposed to letting untrusted servers store any data on users' computers. Though every page, every image is stored on users' computers, after retrieval for presentation. And we realized that stopping cookies would mean only people with money to make "cross-site" deals and maintain large centralized databases would get the power to exploit cookies for tracking. So the cost would motivate more profit-exploitation of the tech. Ultimately only profiteers would track you, and there'd be plenty of them, without even the local control that cookies offer. And the entire Web would lose even voluntary easy tracking of intersession client state.

We decided to make cookies simple and use them. They're mostly harmless - a good balance with the huge benefit they deliver all day long in the Web Era. But I guess there's still profit to be made by scaring people on the Web, like the naive "technologists" to whom this InformIT article is directed, with incorrect cookie hysteria, and offers to help protect us.

That's the way the cookie crumbles.

Re:

[VGPowerlord]

It's not really a good idea calling them CGI parameters, as they're sent with every request whether or not there's a CGI script at the other end. This is what goes in web server logs and why your web server logs list things like Referrer and Browser.

Re:

[Doc Ruby]

It's "Common Gateway Interface". Even when there's no CGI script to consume them, they're part of the CGI environment generated by the HTTP server. And "CGI" is a familiar term, especially to people who could use interpretation of this hysterical article.

Re:

[VGPowerlord]

Since you know what CGI stands for, perhaps you should read the description of it as well. Emphasis added by me.

The Common Gateway Interface, or CGI, is a standard for external gateway programs to interface with information servers such as HTTP servers.

Webservers don't create the CGI environment unless they're calling a CGI script. Some webserver modules duplicate the CGI environment as well: SSI and PHP as examples.

The referrer is an HTTP header, specifically the Referer [w3.org] header. I also mentioned Browser

Re:

[RAMMS+EIN]

``DoubleClick doesn't need to keep its counter on your computer - the IMG hit can update its server-side counter DB. It can ID you, though not as precisely, by your IP# and other CGI parameters you send with every HTTP request. Or DoubleClick's deal with, say, Slashdot, is that Slashdot encode the DoubleClick banner IMG tags the Slashdot server sends you with its pages with a unique ID, like your Slashdot userid.''

Or by exploiting your browser cache. For example, by sending you a file that causes a unique i

Re:

[Doc Ruby]

Yes.

Thanks, I'll take cookies, please.

Re:

[schwaang]

DoubleClick cannot read its cookie any other time, when there's no HTTP connection from your computer to DoubleClick. Like all the rest of the pages on which DoubleClick has no banner or other "self-clicking" link.

I think the article was just addressing the fact that web usage across totally different sites (including Slashdot) is tracked (w/ the help of cookies) by the likes of doubleclick. That in itself is of interest, and many users still don't realize that it goes on. If that's news to a reader of t

Re:

[Doc Ruby]

Except blocking them won't help their privacy, for the reasons I mentioned. Because it's not just DoubleClick. And it's not just cookies.

The article addressed several things, some of which were wrong. Hence my post.

Re:

[schwaang]

TFA points out something many people don't know which materially affects their privacy. The fact that there are other ways of gathering the same data does not negate the fact that cookies are actively used for that purpose, nor is it "hysteria" to point out such use of cookies. Hence my reply to your post.

Re:

[Doc Ruby]

That's why I didn't disagree with the article's main focus, "The Dangers to the Server of Improper Cookie Use by the Client". Even though that's what the ambiguous Slashdot story headline should have read.

And why I did point out the authors did mention that cookies aren't as scary in some ways as some try to say.

I know I write long posts. They're still not usually designed as comprehensive reviews of the entire story they discuss. Especially when they don't say they are.

Cookies

[KermodeBear]

I have a friend who works for a medical software company. Their system handles all kinds of personal information; SSNs, medical records, body scans, etc. The authentication is cookie-based; All the information about a user's access is a serialized, base64 encoded data structure.

Yup, you heard it right. base64 decode your cookie, change a few values, stick it back in... Ta-da, you're an admin.

Improper cookie use can be a nasty, nasty thing. The worst part is that this problem was brought up to the lead developer, who had originally wrote this auth system, but... "Well, it is base64 encoded, noone will ever figure that out." Yeah, right.

Re:Cookies

[The MAZZTer]

If I see a nonsensical combination of upper and lower case letters, numbers, and punctuation, especially if it has one or two equal signs tacked onto the end, I immediately think "base64!".

Firefox allows base64 encoding for data: urls, and we can use this to make a quick-n-dirty base64 decoder. Just type data:text/plain;base64, (including the comma) into the address bar and paste the string on the end, and hit enter to see the decoded string (if it's plaintext).

Base64 is not encryption and it should not be used where encryption is needed (or in this case, a secure DATABASE). Base64 is a way to represent binary data in plaintext without having to worry about data corruption due to non-binary safe programs.

Re:

[accessdeniednsp]

Explain to him why he should use a salt in his data:

http://en.wikipedia.org/wiki/Syntactic_sugar#Synta ctic_salt [wikipedia.org]

Really, it's not *that* hard, people...

Let's discuss something new

[claes]

Firefox 2 includes the new WHATWG-specified client-side persistent storage [whatwg.org]. However, some argue it is critically flawed [dreamhost.com]. Learn the arguments now and we can discuss this further on Slashdot in 2010!

Re:

[Pichu0102]

Are we allowed to use those arguments we learned when the dupe comes round, or do we have to wait until 2010?

Re:

[claes]

You better wait. In 2007 we will argue about Google and Ipod every day, Slashdot will be too busy for dupes on persistent storage until 2010.

Enough Already!

[h4ck7h3p14n37]

Anyone want to guess how many more stupid articles we're going to see explaining the basics of how HTTP, cookies or Javascript works? I find it amusing, yet sad, that so many people are pointing out web vulnerabilities that are nothing more than a n00b not understanding how someting works and either misconfiguring it or using it improperly.

I'm sorry, but cross-site scripting attacks are not real vulnerabilities! The problem is that your stupid browser can execute Javascript that's allowed to read local

Re:

[Shados]

ajax doesn't allow you to keep a live connection or something. It still does standard HTTP requests and such. So you're still living in a disconnected model. It doesn't help, unless you're using a fancy framework that will handle things for you: but then its the framework that helps, not ajax.

Re:

[iwan-nl]

Good AJAX sites don't work like that. It breaks the browser's navigation and refresh buttons and it doesn't degrade gracefully.

Re:

[Carnildo]

Ok... if you're storing the session id via cookie... what's the best solution for preventing cookie theft abuse? Pardon my stupidity for not knowing this already...

1) Make the session ID a random value so it can't be guessed
2) On the backend server, tie the session ID to a given access time and IP range
3) Invalidate the session ID and force a re-login if a request with that ID comes too long after the last access, or from a different IP range.

Re:

[ben there...]

The reason why I say c-class and not full ip address is that the ip address of AOL users can sometimes rotate mid-session

So AOL users can still steal each other's cookies. Guess AOL users are SOL.