![WEB SECURITY(Cookies) M00343421, MscNetwork Security,MiddlesexUniversity
Why? To enable and maintain a consistent session.
HowCookieswork
•Server waiting for request
•Server initiate a session by sending Set-Cookie having session ID
•User return a Cookie request header to continue the session
•Server respond with Set- Cookie respond header with same values as sent before
•Terminates session by sending Set-Cookie header with MAX-AGE=0
Types of Cookie
•Session-stores ongoing session information
•Persistent-stores all the sessions and users preferences
•Secure-for Https
•Http Only-Cannot be accessed by JavaScript
•Third-party-by advisers to promote marketing
•Zombie-that recreates itself after deletion
User Tracking
Attacks
•Session-Cookie Hijacking-stealing of session cookie
•Cross Side Scripting-using javascriptcode as an input
•CSRF(cross-side request forgery)- using script as input to forge a request.
Case Study
•User visited three websites, where he has performed some action, now by the use of session key we need to track the user information and his actions.
References
•Martin Elsman,2006, Efficient Online User Tracking, Zecure.com
•Sun OpenSSOEnterprise 8.0 Installation and Configuration Guide.[online] Available at: http://download.oracle.com/docs/cd/E19316-01/820- 3320/ghtzf/index.html
•D.Kristol,(1997).[online], Http State Management Mechanism, Bell Laboratories,Availableat: http://tools.ietf.org/html/rfc2109](https://image.slidesharecdn.com/cookies-141019085755-conversion-gate01/85/Cookies-1-320.jpg?cb=1413709182)
Recomendados
Más contenido relacionado
Último
Último (20)
Destacado
Destacado (20)
Cookies
- 1. WEB SECURITY(Cookies) M00343421, MscNetwork Security,MiddlesexUniversity Why? To enable and maintain a consistent session. HowCookieswork •Server waiting for request •Server initiate a session by sending Set-Cookie having session ID •User return a Cookie request header to continue the session •Server respond with Set- Cookie respond header with same values as sent before •Terminates session by sending Set-Cookie header with MAX-AGE=0 Types of Cookie •Session-stores ongoing session information •Persistent-stores all the sessions and users preferences •Secure-for Https •Http Only-Cannot be accessed by JavaScript •Third-party-by advisers to promote marketing •Zombie-that recreates itself after deletion User Tracking Attacks •Session-Cookie Hijacking-stealing of session cookie •Cross Side Scripting-using javascriptcode as an input •CSRF(cross-side request forgery)- using script as input to forge a request. Case Study •User visited three websites, where he has performed some action, now by the use of session key we need to track the user information and his actions. References •Martin Elsman,2006, Efficient Online User Tracking, Zecure.com •Sun OpenSSOEnterprise 8.0 Installation and Configuration Guide.[online] Available at: http://download.oracle.com/docs/cd/E19316-01/820- 3320/ghtzf/index.html •D.Kristol,(1997).[online], Http State Management Mechanism, Bell Laboratories,Availableat: http://tools.ietf.org/html/rfc2109