Some state is highly desirable between requests :
- Remember user’s preferences, navigation point, …
- Web applications : user logged in
However, also the less desirable :
- Advertising network tracking IDs.
- May be shared between website.
- Thus can profile user browsing behaviour.
- Hence compromise privacy.
- Also risk of theft
- If browser/machine compromised, or
- If cookies passed in clear.
Cookies in HTTP Headers
- Specified in RFC6265
- Just ASCII plain text
- Sent by server.
- Stored in client (database, filesystem, …)
- Returned by client when visiting page again.
- Cookies can be set by the sever for a particular path/domain.
- Then sent for any page matching.
- Multiple cookies may be set and returned.
- Cookies may have a limited lifetime.
- Set by ‘Expires’ or ‘Max-Age’.
Secure Cookies ?
From RFC6265: The Secure attribute limits the scope of the cookie to ”secure” channels (where ”secure” is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).
Removing Cookies
From RFC6265: To remove a cookie, the server returns a Set-Cookie header with an expiration date in the past. The server will be successful in removing the cookie only if the Path and the Domain attribute in the Set-Cookie header match the values used when the cookie was created.