Scribd
Upload
55 views14 pages

Cookie Security and Web Tracking Guide

The document outlines cookie security policies, focusing on the Same Origin Policy (SOP) for cookies, which determines how cookies can be accessed based on their domain and path. It discusses the setting and deleting of cookies, the scope of cookies, and how cookies are read by servers. Additionally, it touches on web tracking technologies, their objectives, and tools used for web analytics and user behavior analysis.

Uploaded by

22f3000894
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
55 views14 pages

Cookie Security and Web Tracking Guide

The document outlines cookie security policies, focusing on the Same Origin Policy (SOP) for cookies, which determines how cookies can be accessed based on their domain and path. It discusses the setting and deleting of cookies, the scope of cookies, and how cookies are read by servers. Additionally, it touches on web tracking technologies, their objectives, and tools used for web analytics and user behavior analysis.

Uploaded by

22f3000894
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

COOKIE SECURITY POLICY

Dr. Koyel Datta Gupta


Same origin policy: “high level”
Review: Same Origin Policy (SOP) for DOM:
Origin A can access origin B’s DOM if match
on
(scheme, domain, port)

Today: Same Original Policy (SOP) for


cookies:
 Generally speaking, based on:
([scheme],
optional domain, path)
Setting/deleting cookies by server

GET …
Browser
Server
HTTP Header:
Set-cookie: NAME=VALUE ;
domain = (when to send) ;scope
if expires=NULL: path = (when to send)
this session only
secure = (only send over
SSL);
expires = (when expires) ;
HttpOnly (later)

• Delete cookie by setting “expires” to date in past


• Default scope is domain and path of setting URL
Scope setting rules (write SOP)
domain: any domain-suffix of URL-hostname, except
TLD
example: host = “[Link]”
allowed domains disallowed domains
[Link] [Link]
.[Link] [Link]
.com

 [Link] can set cookies for all


of .[Link]
but not for another site
Problematic for sites like .[Link]
Cookies are identified by (name,domain,path)
cookie 1 cookie 2
name = userid name = userid
value = test value = test123
domain = [Link] domain = .[Link]
path = / path = /
secure secure

distinct cookies

Both cookies stored in browser’s cookie


jar;
both are in scope of [Link]
Reading cookies on server (read
SOP)

Browser GET //URL-domain/URL-path


Server
Cookie: NAME = VALUE

Browser sends all cookies in URL scope:


• cookie-domain is domain-suffix of URL-domain, and
• cookie-path is prefix of URL-path, and
• [protocol=HTTPS if cookie is “secure”]

Goal: server only sees cookies in its scope


Examples
cookie 1
both set by [Link]

cookie 2
name = userid name = userid
value = u1 value = u2
domain = [Link] domain = .[Link]
path = / path = /
secure non-secure

http:// cookie: userid=u2


[Link]/
cookie: userid=u2
[Link]
cookie: userid=u1; userid=u2
[Link] (arbitrary order)
Interaction with the DOM SOP
Cookie SOP: path separation
[Link]/A does not see cookies of [Link]/B

Not a security measure:


DOM SOP: [Link]/A has access to DOM of
[Link]/B
<iframe src=“[Link]/B"></iframe>
alert(frames[0].[Link]);

Path separation is done for efficiency not security:


[Link]/A is only sent the cookies it needs
Solution: cryptographic checksums
Goal: data integrity
Requires secret key k unknown to browser

Generate tag: T  F(k, value)

Browser Set-Cookie: NAME= value T k


Server
Cookie: NAME = value T
?
Verify tag: T = F(k, value)

“value” should also contain data to prevent cookie replay and swap
WEB Tracking
Dr. Koyel Datta Gupta
Web Tracking
Web tracking technologies are used to
collect, store and connect user web browsing
behaviour records.
The information gained thereby is of interest

to various parties.
Major Objectives
Advertisement
Advertisement companies actively collect
information about users and accumulate it in
user profiles. These profiles are then used to
tailor individualized advertisements.
Law enforcement
Law enforcement and intelligence agencies
may use web tracking technologies to spy on
individuals and to solve crimes.
Objectives (continued)
 Usability tests
 By observing the steps an individual performs while trying
to solve a certain task on a web page, usability problems
can be discovered and fixed
 Web analytics
 focuses less on the individual user, but more on the
performance of a web site as a whole.
 In the e-commerce business, shop operators use web
analytics to maximize their revenue
 for example
 by evaluating which pages generate most income
 which banner ads account for most traffic
 during which steps of the order process customers are lost.
TOOLS
 AWStats

eLogic

 Google Analytics

ShinyStat

SiteMeter

You might also like