Working with Cookiees



Working with Cookie using Javascript (document.cookie);


1: Creating Cookie
1.1 Creating in-memory cookie

document.cookie = “Username= FirstName LastName”;  // In-memory cookiee
var x = document.cookie;
alert(x);  // Username=”FirstName LastName”

document.cookie = "Key1=Value1";
document.cookie = "Key2=Value2";
alert(document.cookie); // displays: Key1=Value1;Key2=Value2;

Note: If Keys are same then values overwrites;

Cookies predefined Keys in Cookie
  • Expires : The date the cookie will expire. If this is blank, the cookie will expire when the visitor quits the browser.
  • Domain : The domain name of your site.
  • Path : The path to the directory or web page that set the cookie. This may be blank if you want to retrieve the cookie from any directory or page.
  • Secure : If this field contains the word "secure" then the cookie may only be retrieved with a secure server. If this field is blank, no such restriction exists.
  • Name=Value : Cookies are set and retrieved in the form of key and value pairs.
Note; These parameters(their values) are seprated by semi-colon (;);
1.2 Creating Persistent Cookiee
document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 GMT";   
alert(x.UserName);                                                                       
1.3 Creating Persistent cookie with Path (i.e., which folder pages can access this cookie)
document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 GMT; path=/";
Note: With a path parameter, you can tell the browser what path the cookie belongs to. By default, the cookie belongs to the current page.

  •  
1.4. Modifying Cookie (create new cookies with existing keys and new values);
document.cookie="username=John Smith; expires=Thu, 18 Dec 2013 12:00:00 GMT; path=/";
1.5.Deleting Cookie
Deleting a cookie is very simple. Just set the expires parameter to a passed date:
document.cookie = "username=; expires=Thu, 01 Jan 1970 00:00:00 GMT";

1.6.Cookie Location
C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
If Security Configuration to Low : %AppData%\Microsoft\Windows\Cookies\Low   

At most one file is would be created on behalf of each Domain; It contains all values in the form of Key-Value pair.
UserName@www.w3schools[2]
1.7: An approach: setCookie and getCookie data
function setCookie(cname,cvalue,exdays)
{
var d = new Date();
d.setTime(d.getTime()+(exdays*24*60*60*1000));
var expires = "expires="+d.toGMTString();
document.cookie = cname + "=" + cvalue + "; " + expires;
}

function getCookie(cname)
{
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i=0; i   {
  var c = ca[i].trim();
  if (c.indexOf(name)==0) return c.substring(name.length,c.length);
  }
return "";
}
Calling Methods
function checkCookie()
{
var user=getCookie("username");
if (user!="")  {  alert("Welcome again " + user);  }
else
 {  user = prompt("Please enter your name:","");
     if (user!="" && user!=null)     {     setCookie("username",user,30);     }
  }
}
1.8: Iterating through each Items stored in Cookiee
document.cookie = 'Key1=Value1,Key2=Value2';  //Dont use '&' and ';' chars for multi-valued cookiees.
var cookieArray = document.cookie.split(',');

A) Paired items reading
var x1 = cookieArray[0];  //Key1=Value1
var y1 = cookieArray[1];  //Key2=Value2

B) Keys only reading
var k1 = cookieArray[0].split('=')[0]; //Key1
var k2 = cookieArray[1].split('=')[0]; //Key2

C) Values only reading
var v1 = cookieArray[0].split('=')[1]; //Value1
var v2 = cookieArray[1].split('=')[0]; //Value2






Attacks on  Cookies

1)      XSS attacks
a.       Domain Name validations
b.      Sub-Domain Name validations
1)      Cookie Positioning  (Protecting cookies over wire)
2)      Cookie confidentiality (Cookie data encryption)

Recommended References:

http://en.wikipedia.org/wiki/HTTP_cookie
http://blog.cenzic.com/2009/08/insecure-cookie-handling-vulnerability-part-1/
http://blog.cenzic.com/2009/08/common-insecure-cookie-attacks-cross-site-request-forgery/
http://www.12robots.com/index.cfm/2009/1/14/More-Cookies--Domain-and-Path-Attributes--Security-Series-122
http://www.12robots.com/index.cfm/2009/1/14/More-Cookies--Domain-and-Path-Attributes--Security-Series-122
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)


Nag-references:
http://www.webdeveloper.com/forum/showthread.php?261054-javascript-validation-amp-cookie

http://tools.ietf.org/html/draft-pettersen-dns-cookie-validate-05

Nag-Rcommended References



http://www.thesitewizard.com/javascripts/cookies.shtml
http://stackoverflow.com/questions/2959010/how-to-get-the-domain-value-for-a-cookie-in-javascript
http://www.w3resource.com/javascript/cookies/introduction-cookies.php
http://www.brenz.net/cookies/test_cookie.asp?fail



References:
http://www.w3schools.com/js/js_cookies.asp

http://en.wikipedia.org/wiki/Session_fixation

http://sage.math.washington.edu/home/wstein/www/home/agc/lit/javascript/xss.html
http://www.brenz.net/cookies/test_cookie.asp?fail
http://stackoverflow.com/questions/14149542/javascript-cookies-setting-multiple-cookies
http://www.jsmadeeasy.com/javascripts/Forms/Validation%20%28Cookie%29/index.htm
http://www.securiteam.com/securityreviews/5EP0L2KHFG.html
http://www.cse.wustl.edu/~jain/cse571-07/ftp/xsscript/
http://searchsoftwarequality.techtarget.com/answer/Cookie-poisoning-prevention-in-ASPNET
http://www.chacha.com/question/what-type-of-attack-can-be-prevented-by-validating-cookies-and-query-strings
https://www.acunetix.com/websitesecurity/cross-site-scripting/
http://support.microsoft.com/kb/252985
http://searchsoftwarequality.techtarget.com/answer/Cookie-poisoning-prevention-in-ASPNET


Posted by at
Labels: ,

1 comment:

Subscribe to: Post Comments (Atom)