Working with Cookiees



Working with Cookie using Javascript (document.cookie);


1: Creating Cookie
1.1 Creating in-memory cookie

document.cookie = “Username= FirstName LastName”;  // In-memory cookiee
var x = document.cookie;
alert(x);  // Username=”FirstName LastName”

document.cookie = "Key1=Value1";
document.cookie = "Key2=Value2";
alert(document.cookie); // displays: Key1=Value1;Key2=Value2;

Note: If Keys are same then values overwrites;

Cookies predefined Keys in Cookie
  • Expires : The date the cookie will expire. If this is blank, the cookie will expire when the visitor quits the browser.
  • Domain : The domain name of your site.
  • Path : The path to the directory or web page that set the cookie. This may be blank if you want to retrieve the cookie from any directory or page.
  • Secure : If this field contains the word "secure" then the cookie may only be retrieved with a secure server. If this field is blank, no such restriction exists.
  • Name=Value : Cookies are set and retrieved in the form of key and value pairs.
Note; These parameters(their values) are seprated by semi-colon (;);
1.2 Creating Persistent Cookiee
document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 GMT";   
alert(x.UserName);                                                                       
1.3 Creating Persistent cookie with Path (i.e., which folder pages can access this cookie)
document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 GMT; path=/";
Note: With a path parameter, you can tell the browser what path the cookie belongs to. By default, the cookie belongs to the current page.

  •  
1.4. Modifying Cookie (create new cookies with existing keys and new values);
document.cookie="username=John Smith; expires=Thu, 18 Dec 2013 12:00:00 GMT; path=/";
1.5.Deleting Cookie
Deleting a cookie is very simple. Just set the expires parameter to a passed date:
document.cookie = "username=; expires=Thu, 01 Jan 1970 00:00:00 GMT";

1.6.Cookie Location
C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
If Security Configuration to Low : %AppData%\Microsoft\Windows\Cookies\Low   

At most one file is would be created on behalf of each Domain; It contains all values in the form of Key-Value pair.
UserName@www.w3schools[2]
1.7: An approach: setCookie and getCookie data
function setCookie(cname,cvalue,exdays)
{
var d = new Date();
d.setTime(d.getTime()+(exdays*24*60*60*1000));
var expires = "expires="+d.toGMTString();
document.cookie = cname + "=" + cvalue + "; " + expires;
}

function getCookie(cname)
{
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i=0; i   {
  var c = ca[i].trim();
  if (c.indexOf(name)==0) return c.substring(name.length,c.length);
  }
return "";
}
Calling Methods
function checkCookie()
{
var user=getCookie("username");
if (user!="")  {  alert("Welcome again " + user);  }
else
 {  user = prompt("Please enter your name:","");
     if (user!="" && user!=null)     {     setCookie("username",user,30);     }
  }
}
1.8: Iterating through each Items stored in Cookiee
document.cookie = 'Key1=Value1,Key2=Value2';  //Dont use '&' and ';' chars for multi-valued cookiees.
var cookieArray = document.cookie.split(',');

A) Paired items reading
var x1 = cookieArray[0];  //Key1=Value1
var y1 = cookieArray[1];  //Key2=Value2

B) Keys only reading
var k1 = cookieArray[0].split('=')[0]; //Key1
var k2 = cookieArray[1].split('=')[0]; //Key2

C) Values only reading
var v1 = cookieArray[0].split('=')[1]; //Value1
var v2 = cookieArray[1].split('=')[0]; //Value2






Attacks on  Cookies

1)      XSS attacks
a.       Domain Name validations
b.      Sub-Domain Name validations
1)      Cookie Positioning  (Protecting cookies over wire)
2)      Cookie confidentiality (Cookie data encryption)

Recommended References:

http://en.wikipedia.org/wiki/HTTP_cookie
http://blog.cenzic.com/2009/08/insecure-cookie-handling-vulnerability-part-1/
http://blog.cenzic.com/2009/08/common-insecure-cookie-attacks-cross-site-request-forgery/
http://www.12robots.com/index.cfm/2009/1/14/More-Cookies--Domain-and-Path-Attributes--Security-Series-122
http://www.12robots.com/index.cfm/2009/1/14/More-Cookies--Domain-and-Path-Attributes--Security-Series-122
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)


Nag-references:
http://www.webdeveloper.com/forum/showthread.php?261054-javascript-validation-amp-cookie

http://tools.ietf.org/html/draft-pettersen-dns-cookie-validate-05

Nag-Rcommended References



http://www.thesitewizard.com/javascripts/cookies.shtml
http://stackoverflow.com/questions/2959010/how-to-get-the-domain-value-for-a-cookie-in-javascript
http://www.w3resource.com/javascript/cookies/introduction-cookies.php
http://www.brenz.net/cookies/test_cookie.asp?fail



References:
http://www.w3schools.com/js/js_cookies.asp

http://en.wikipedia.org/wiki/Session_fixation

http://sage.math.washington.edu/home/wstein/www/home/agc/lit/javascript/xss.html
http://www.brenz.net/cookies/test_cookie.asp?fail
http://stackoverflow.com/questions/14149542/javascript-cookies-setting-multiple-cookies
http://www.jsmadeeasy.com/javascripts/Forms/Validation%20%28Cookie%29/index.htm
http://www.securiteam.com/securityreviews/5EP0L2KHFG.html
http://www.cse.wustl.edu/~jain/cse571-07/ftp/xsscript/
http://searchsoftwarequality.techtarget.com/answer/Cookie-poisoning-prevention-in-ASPNET
http://www.chacha.com/question/what-type-of-attack-can-be-prevented-by-validating-cookies-and-query-strings
https://www.acunetix.com/websitesecurity/cross-site-scripting/
http://support.microsoft.com/kb/252985
http://searchsoftwarequality.techtarget.com/answer/Cookie-poisoning-prevention-in-ASPNET


Posted by at
Labels: ,

1 comment:

  1. Padminiprwatech20 February 2020 at 20:57

    Thanks for sharing useful information. I learned something new from your bog. Its very interesting and informative. keep updating. If you are looking for any Big Data related information, please visit our website Big Data training in Bangalore.

    ReplyDelete

Subscribe to: Post Comments (Atom)