HTTP Cookies
What are the two cookie prefixes?
1. __Host 2. __Secure
What directives must be present for a cookie to be permanent?
Expires or Max-Age
What values can the SameSite attribute have?
1. None 2. Strict 3. Lax
What are the 3 purposes of cookies?
1. Session Management (logins, shopping carts, game scores) 2. Personalization (user preferences, themes) 3. Tracking (recording and analyzing user behavior)
What restrictions can be added to a cookie?
1. The expiration date - after which the cookie is no longer sent 2. The domain and path - limiting where the cookie is sent.
What is a permanent cookie?
A cookie that does not expire when the client closes
What is a session cookie?
A cookie that is only valid for a browser session (i.e. it is deleted when the client shuts down).
What is a secure cookie?
A secure cookie is a cookie that is only sent to the server with an encrypted request over the HTTPS protocol.
What is an HTTP cookie?
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.
What is the default value for SameSite?
Browsers are migrating to have cookies default to SameSite=Lax. If a cookie is needed to be sent cross-origin, opt out of the SameSite restriction using the None directive. The None directive requires the Secure attribute.
What are cookie prefixes
Cookie prefixes assert specific facts about cookies that add additional security
What is a drawback of cookies
Cookies are sent with every request, so they can worsen performance (especially for mobile data connections).
When should a HttpOnly flag be set?
Cookies that persist server-side sessions don't need to be available to JavaScript, and the HttpOnly flag should be set
What is a CSRF attack?
Cross-Site Request Forgery CSRF attacks allow a malicious user to execute actions using the credentials of another user without that user's knowledge or consent.
What attack does SameSite cookies protect against?
Cross-site request forgery attacks (CSRF)
How does the Domain directive define the scope of the cookie?
Domain specifies allowed hosts to receive the cookie. If Domain is specified, then subdomains are always included. For example, if Domain=mozilla.org is set, then cookies are included on subdomains like developer.mozilla.org.
What is HSTS?
HTTP Strict Transport Security lets a web site inform the browser that it should never load the site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. It consists in one HTTP header, Strict-Transport-Security, sent back by the server with the resource.
What are HttpOnly cookies and why are they used?
HttpOnly cookies are inaccessible to JavaScript's Document.cookie API and are only sent to the server. To help mitigate cross-site scripting (XSS) attacks.
What happens if the cookie name has the __Secure prefix?
If a cookie name has this prefix, it will only be accepted in a Set-Cookie directive if it is marked Secure and was sent from a secure origin. This is weaker than the __Host- prefix.
What happens if the cookie name has the __Host prefix?
If a cookie name has this prefix, it will only be accepted in a Set-Cookie directive if it is marked Secure, was sent from a secure origin, does not include a Domain attribute, and has the Path attribute set to /. In this way, these cookies can be seen as "domain-locked".
What is a session fixation attack?
If a vulnerable application is available on a sub-domain, this mechanism can be abused in a session fixation attack. When the user visits a page on the parent domain (or another subdomain), the application may trust the existing value sent in the user's cookie. This could allow an attacker to bypass CSRF protection or hijack a session after the user logs in.
How is the cookie scoped if the Domain is not specified in the scope of a cookie?
If unspecified, it defaults to the host of the current document location, excluding subdomains
How can javascript create cookies
New cookies can also be created via JavaScript using the Document.cookie property, and if the HttpOnly flag is not set, existing cookies can be accessed from JavaScript as well. Cookies created via JavaScript cannot include the HttpOnly flag.
What header is set for all future requests after the client receives a response with a Set-Cookie header?
Now, with every new request to the server, the browser will send back all previously stored cookies to the server using the Cookie header. Note that the browser automatically sets this header.
What is the format of the Set-Cookie header?
Set-Cookie: <cookie-name>=<cookie-value>
How does the Path directive define the scope of the cookie?
Path indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F ("/") character is considered a directory separator, and subdirectories will match as well. For example, if Path=/docs is set, these paths will match: /docs /docs/Web/ /docs/Web/HTTP
What is an example of Set-Cookie header that is permanent?
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT;
What happens when the SameSite attribute has a value of Lax?
Same-site cookies are withheld on cross-site subrequests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.
What browsers support SameSite cookies
SameSite cookies are relatively new and supported by all major browsers.
What are SameSite cookies?
SameSite cookies let servers require that a cookie shouldn't be sent with cross-site (where Site is defined by the registrable domain) requests. Set-Cookie: key=value; SameSite=Strict
What happens when the SameSite attribute has a value of None
SameSite=None The browser will send cookies with both cross-site requests and same-site requests.
What do cookie prefixes protect against?
Session fixation attacks
How can session fixation attacks be mitigated?
Session fixation should primarily be mitigated by regenerating session cookie values when the user authenticates (even if a cookie already exists) and by tying any CSRF token to the user
What defines the scope of a cookie?
The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to.
What happens when the SameSite attribute has a value of Strict?
The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the Strict attribute will be included.
What happens if the cookie does not include an Expires or Max-Age directive?
The cookie is a session cookie and is deleted when the client is shut down.
What is the cookie expiry date relative to?
When an expiry date is set, the time and date set is relative to the client the cookie is being set on, not the server.
How is a cookie created?
When receiving an HTTP request, a server can send a Set-Cookie header with the response. The cookie is usually stored by the browser, and then the cookie is sent with requests made to the same server inside a Cookie HTTP header.
What is a cross-site scripting (XSS) attack?
XSS is a term used to describe a class of attacks that allow an attacker to inject client-side scripts through the website into the browsers of other users. Because the injected code comes to the browser from the site, the code is trusted and can do things like send the user's site authorization cookie to the attacker. When the attacker has the cookie, they can log into a site as though they were the user and do anything the user can, such as access their credit card details, see contact details, or change passwords.
What is the method in Node.js to set the cookie?
response.setHeader(name, value)