Cookies, more properly called HTTP cookies, are small bits of data stored as text files on a browser. Websites use those small bits of data to keep track of users and enable user-specific features.
They enable core website functionality, such as e-commerce shopping carts, and are also used for more controversial purposes, such as tracking user activity.
Cookies are a necessary part of the way the web works as well as a source of privacy concerns and security risks.
Whether you are just a casual internet user or make your living as a web developer, there are certain things about HTTP cookies that every internet user should know, such as the purpose of cookies and the privacy and security risks inherent to their use.
What Goes Into a Cookie?
Cookies associate bits of data to a specific user.
For example, if you visit a website, the site may deliver a cookie identifying you as user X. If you leave the site and then return to it again, that cookie will be used by the website to recognize that you are the same user X that was at the site previously.
Cookies necessarily contain, at a minimum, two pieces of data: a unique user identifier and some information about that user.
They may also contain a wide range of attributes that tell browsers what do with the cookie — a topic we'll get into when we get to the portion of this guide oriented toward developers.
A common example of how this all works is an authentication cookie.
When you log into a website the site may return a cookie that identifies your user account and confirms that you have successfully logged in to the site. When you interact with the site it will use that cookie as confirmation that you are a logged-in user.
Common Types of Cookies
- Session cookies: are temporary cookies stored in the browser's memory just until the browser is closed.
- Peristent cookies: These are longer-term cookies that are tagged by the issuer with an expiration date.
- First-party cookies: The cookies we issue while you're visiting our site are first-party cookies.
Third-party cookies are cookies added by a domain that is not the domain you are currently visiting. The most common use of third-party cookies is to track users who click on advertisements and associate them with the referring domain.
Cookie Fraud ( Our Main Point )
Methods of committing cookie fraud are technically complex, but it's worth knowing about them in case you ever encounter one of these exploits.
In most cases, cookie fraud takes on one of two forms: a malicious website uses legitimate website visitors as a proxy in an attack on a website or to game tracking systems by attaching false session IDs to a legitimate user's activity. Let's look at four common cookie fraud exploits to learn how they work:
Cross-site scripting (XSS): a user visits a malicious website and receives a cookie that contains a script payload targeting a different website. The malicious cookie is disguised to look like it originated from the targeted website. When the user visits the targeted site, the malicious cookie, including the script payload, is sent to the server hosting the targeted site.
Session fixation: a user receives a malicious cookie that contains the cookie issuer's session ID. When the user attempts to log into a targeted domain, the issuer's session ID is logged in instead of the user's session ID. In this way, it looks to the targeted domain like the issuer is performing actions that the user is actually performing.
Cross site request forgery attack (XSRF): a user visits a legitimate site and receives a legitimate cookie. The user then visits a malicious site that instructs the user's browser to perform some action targeting the legitimate site. The legitimate site receives the request along with the legitimate cookie and performs the action since it appears to be initiated by a legitimate user.
Cookie tossing attack: a user visits a malicious site that provides a cookie designed to look like it originated from a subdomain of a targeted site, such as http://subdomain.example.com. When the user visits the targeted site, http://example.com in this case, the subdomain cookie is sent along with any legitimate cookies. If the subdomain cookie is interpreted first, the data in that cookie will overrule the data contained in any subsequent legitimate cookies.
As you can see, in virtually all cases of cookie fraud, cookies are used to either falsify the identity of legitimate users or to use the legitimate user's identity to perform malicious actions.