Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cookies.NET Security Summer 2006 CS795/895 Hadi Arbabi.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cookies.NET Security Summer 2006 CS795/895 Hadi Arbabi."— Presentation transcript:

1 Cookies.NET Security Summer 2006 CS795/895 Hadi Arbabi

2 Maintaining State Information Query strings Are visible to the user, should not contain secure information View state ViewState property as hidden fields on page Session state Local to current session (single user) Application state Available to all users of application Cookies Store small amount of information on a client (if not refused)

3 What Are Cookies? A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the application can read whenever the user visits the site. Cookies are normally written to the user's disk. The Browser looks on the local hard disk for a cookie associated with the URL. If the cookie exists, the browser sends the cookie to your site along with the page request. Cookies are used for all sorts of purposes, all relating to helping the Web site remember you.

4 Properties Cookies are associated with a Web site, not with a specific page. As the user visits different sites, each site might send a cookie to the user's browser as well. The browser stores all the cookies separately. Most browsers support cookies of up to 4096 bytes. Most browsers allow only 20 cookies per site; if you try to store more, the oldest cookies are discarded. Cookies are stored by Name, so if you create two cookies with the same name, one overwrites the other. Different browsers store cookies in different ways. Cookies are case sensitive.

5 Properties IE5 and higher store cookies in this way: C:\Documents and Settings\ \Cookies\ @.txt NOTE: You can open the cookie with a text editor. If the file contains multiple cookies, they are separated with an asterisk (*). The first line of each cookie is its name, and the second has the values. The remaining lines have cookie housekeeping information such as the expiration date and time. There is also a simple checksum in the cookie; if you change the length of the cookie name or value, the browser will detect the tampering and will discard the cookie.

6 Approaches Two approaches when storing and retrieving user information through cookies: 1. Store all the user information as a cookie on the client’s computer It is useful when user information is simple and is not required on the server for any tasks. 2. Store an identification key on client’s machine, and then retrieve user information from a data source on the server using that identification key It is the best for storing more extensive information.

7 HttpCookie Class in.NET Public Properties DomainGets or sets the domain to associate the cookie with ExpiresGets or sets the expiration date and time for the cookie HasKeysGets a value indicating whether a cookie has subkeys NameGets or sets the name of a cookie PathGets or sets the virtual path to transmit with the current cookie SecureGets or sets a value indicating whether to transmit the cookie securely (that is, over HTTPS only) ValueGets or sets an individual cookie value ValuesGets a collection of key-and-value value pairs that are contained within a single cookie object

8 Using Cookies U sers can set their browser to refuse cookies. The application should not depend on being able to store cookies. Use cookies for nice-to-have features; do not use them to support critical features. C#: private void Function(….) { // If the browser supports cookies if(Request.Browser.Cookies) { // Create a cookie HttpCookie myCookie = new HttpCookie(“MyCookie”); cookie.Value = “This is value of my cookie”; // Add the cookie Response.Cookies.Add(myCookie); }

9 Creating Cookie Steps to store a cookie: 1. Check whether the client supports cookies by using the Browser object’s Cookies property. 2. If so, check whether the cookie already exists by using the Request object’s Cookies collection. 3. If not, create a new cookie object using the HttpCookie class. 4. Set the cookie object’s Value and Expiration properties. 5. Add the cookie object to Response object’s Cookies collection.

10 Code C# private void Page_Load(object sender, System.EventArgs e) { if(Request.Browser.Cookies) { if(Request.Cookies[“MyCookie”] == null) { HttpCookie myCookie = new HttpCookie(“MyCookie”); myCookie.Value = “This is my cookie value”; myCookie.Expires = DataTime.Now.AddDays(5); Response.Cookies.Add(myCookie); } else { HttpCookie myCookie = Request.Cookies[“MyCookie”]; myCookie.Value = “Set the value”; myCookie.Expires = DataTime.Now.AddDays(5); } else{ // SHOW MESSAGE; THE BROWSER DOES NOT ACCEPT COOKIES. (ALERT). }

11 Expiration?!!! If you do not set the cookie's expiration, the cookie is created but it is not stored on the user's hard disk. Instead, the cookie is maintained as part of the user's session information. When the user closes the browser or if the session times out, the cookie is discarded. A non-persistent cookie like this is handy for information that needs to be stored for only a short time or that for security reasons should not be written to disk on the client computer. For example, non-persistent cookies are useful if the user is working on a public computer, where you do not want to write the cookie to disk. So Expires property determines when the client’s machine can discard the cookie. Setting Expires to the DateTime.MaxValue means that the cookie never expires. Response.Cookies[“MyCookie”].Expires= DateTime.MaxValue ; Resetting the Expires property to the current time or the past time removes the cookies form client’s machine. Response.Cookies[“MyCookie”].Expires= DateTime.Now ;

12 Using Keys, Multi-Valued Cookies private void SetKeys(….) { HttpCookie cuky = new HttpCookie(“UserInfo”); cuky[“FirstName”] = firstname; cuky[“LastName”] = lastname; cuky[“Tel”]=tel; … cuky.Expires = DateTime.Now.AddDays(30); Response.Cookies.Add(cuky); } private void ReadKeys(…) { HttpCookie cuky = Request.Cookies[“UserInfo”]; firstname = cuky[“FirstName”]; lastname = cuky[“LastName”]; tel = cuky[“Tel”]; …. }

13 Storing User Information on the Server 1. Create a unique key to identify the user. 2. Save the unique key as a cookie on the user’s computer. 3. Create a file on the server to store user information. 4. Save the user information on the server using the unique key as an index. * System.Guid.NewGuid().ToString();

14 Security You should never store secrets in a cookie — no user names, no passwords, no credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie. Similarly, be suspicious of information you get out of a cookie. Do not assume that the data is the same as when you wrote it out. Limit the scope of cookies to a folder on the server, which in practical terms allows you to limit cookies to an application on the site. Response.Cookies[“domain1”].Path = “/Application1”; Set scope to a domain, which allows you to specify which subdomains in a domain can access a cookie. Response.Cookies[“domain1”].Domain = “hadi.arbabi.com“; Set appropriate expiration date and time for cookies.

15 Security You can set a cookie property that causes the cookie to be transmitted only if the connection uses the Secure Sockets Layer (SSL, >> https://). If(myCookie.Secure){ …. } If you do want to store sensitive information such as a user ID in a cookie, you can encrypt the cookie. Use HTTP-only Cookies. NOTE: To mitigate the risk of information disclosure with a cross-site scripting attack, a new attribute is introduced to cookies for Internet Explorer 6SP1. This attribute specifies that a cookie is not accessible through script. By using HTTP-only cookies, a Web site eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script. If a Web site sets an HTTP-only cookie on a browser that does not support HTTP-only cookies, the cookie is either ignored or downgraded to a traditional, scriptable cookies.

16 References Book Developing WEB APPLICATIONS with Microsoft Visual C#.NET Published by Microsoft Press (MCAD/MCSD) Web Libraries Microsoft Developer Network -HttpCookies -Cookies in.NET -State Management in ASP.NET

Download ppt "Cookies.NET Security Summer 2006 CS795/895 Hadi Arbabi."

Similar presentations

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
JavaScript Forms Form Validation Cookies. What JavaScript can do  Control document appearance and content  Control the browser  Interact with user.

JavaScript Forms Form Validation Cookies. What JavaScript can do  Control document appearance and content  Control the browser  Interact with user.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Session Management A290/A590, Fall 2014 09/25/2014.

Session Management A290/A590, Fall /25/2014.
Creating Web Page Forms

Creating Web Page Forms
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.

The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.

 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.
IT533 Lectures Session Management in ASP.NET. Session Tracking 2 Personalization Personalization makes it possible for e-businesses to communicate effectively.

IT533 Lectures Session Management in ASP.NET. Session Tracking 2 Personalization Personalization makes it possible for e-businesses to communicate effectively.
JavaScript, Fourth Edition

JavaScript, Fourth Edition
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Similar presentations

Ads by Google