Cookies are a key part of the HTTP protocol which most web applications rely upon, and which can frequently be used as a vehicle for exploiting vulnerabilities. The cookie mechanism enables the server to send items of data to the client, which the client stores and resubmits back to the server. Unlike the other types of request parameters (those within the URL query string or the message body), cookies continue to be resubmitted in each subsequent request without any particular action required by the application or the user. A server issues a cookie using the Set-Cookie response header, as already observed in previous article:
The user’s browser will then automatically add the following header to subsequent requests back to the same server:
Cookies normally consist of a name/value pair, as shown, but may consist of any string that does not contain a space. Multiple cookies can be issued by using multiple Set-Cookie headers in the server’s response, and are all submitted back to the server in the same Cookie header, with a semicolon separating different individual cookies.
In addition to the cookie’s actual value, the Set-Cookie header can also include any of the following optional attributes, which can be used to control how the browser handles the cookie:
■ expires — Used to set a date until which the cookie is valid. This will cause the browser to save the cookie to persistent storage, and it will be reused in subsequent browser sessions until the expiration date is reached. If this attribute is not set, the cookie is used only in the current browser session.
■ domain — Used to specify the domain for which the cookie is valid. This must be the same or a parent of the domain from which the cookie is received.
■ path — Used to specify the URL path for which the cookie is valid.
■ secure – If this attribute is set, then the cookie will only ever be submitted in HTTPS requests.
Each of these cookie attributes can impact the security of the application, and the primary impact is on the ability of an attacker to directly target other users of the application.
NEXT is ..Status Codes……,