Calling Cookie Experts...
-
So for like the Nth time I've wondered about browser based cookies. I read this article http://www.codeproject.com/aspnet/aspnetcookies.asp[^]which talks some about cookie management and I can see how cookies must be handled. But from a security standpoint. When I go to a site and someone cookies my browser what all can they do? I'm guessing you can store whatever data in the cookie you want. Like you could have: cookie.name //where this is the name of perhaps the day of the week. cookie.date //where this is the current date. cookie.server //where this is the I.P. of the server I mean you can probably save a bunch of stuff in a cookie but I imagine there is a size limit. So what can spyware guys do with cookies? Can they retreive information from you? When I tell a site (like CP) to remember me they are just writing my username and password to the cookie right? Could someone on another site (say I mis-typed the url and did code-project.com) check for that cookie and get my username and password? I'm mainly wondering this because cookies are a bit strange as a concept and I'm trying to learn more about them. Like they cannot automatically upload data to a site right? The page you visit has to know the cookies name and then request it... From a security perspective I'm just curious about cookies in general. Admittedly cookies are the least of my concerns (I hope) so call this a curiosity...
Some assembly required. Code-frog System Architects, Inc.
-
So for like the Nth time I've wondered about browser based cookies. I read this article http://www.codeproject.com/aspnet/aspnetcookies.asp[^]which talks some about cookie management and I can see how cookies must be handled. But from a security standpoint. When I go to a site and someone cookies my browser what all can they do? I'm guessing you can store whatever data in the cookie you want. Like you could have: cookie.name //where this is the name of perhaps the day of the week. cookie.date //where this is the current date. cookie.server //where this is the I.P. of the server I mean you can probably save a bunch of stuff in a cookie but I imagine there is a size limit. So what can spyware guys do with cookies? Can they retreive information from you? When I tell a site (like CP) to remember me they are just writing my username and password to the cookie right? Could someone on another site (say I mis-typed the url and did code-project.com) check for that cookie and get my username and password? I'm mainly wondering this because cookies are a bit strange as a concept and I'm trying to learn more about them. Like they cannot automatically upload data to a site right? The page you visit has to know the cookies name and then request it... From a security perspective I'm just curious about cookies in general. Admittedly cookies are the least of my concerns (I hope) so call this a curiosity...
Some assembly required. Code-frog System Architects, Inc.
The browser will send the cookie back to any sites that match the domain set for it. when you create a cookie, you can say what domain/level it belongs to. i.e the cookie may below to codeproject.com so the browser will only send it to pages under that no code-project.com. You can also tell the cookie to be sent to any domain or do a sub folder only. So a site like code project would most likely store a hash of you user, password, maybe other things. which it matches against something on the server so the password is not just clearly stored in the cookie. (just guessing here). Each cookie is a key=value pair. Um... they also can have time limits, but again it's up to the browser to discard expired cookies, not you or the site. So really you hope your browser isnt doing anything dodgy. what else. Cookie get sent back to the page in the HTTP header. the page does not have to do anyting with it though. Ad site etc. could use them to track your spending habits. I.e you go the somesite.com they have ads thats are like
now when your browser downloads someadserver.com/ad.page?1896287 they can set a cookie and then set the mime type to a jpeg to make the images display. so then next time you go to another site that uses the same adserver that cookie will be sent back, so they can identify you. Then if you ever click on an ad they could store that your 'cookie number' likes computer software, so next time you visit the ad server can display more software ads. Thats my understanding. Hope it helps, I wrote quick so there is most likely holes etc missing. Cheers, Luke
-
So for like the Nth time I've wondered about browser based cookies. I read this article http://www.codeproject.com/aspnet/aspnetcookies.asp[^]which talks some about cookie management and I can see how cookies must be handled. But from a security standpoint. When I go to a site and someone cookies my browser what all can they do? I'm guessing you can store whatever data in the cookie you want. Like you could have: cookie.name //where this is the name of perhaps the day of the week. cookie.date //where this is the current date. cookie.server //where this is the I.P. of the server I mean you can probably save a bunch of stuff in a cookie but I imagine there is a size limit. So what can spyware guys do with cookies? Can they retreive information from you? When I tell a site (like CP) to remember me they are just writing my username and password to the cookie right? Could someone on another site (say I mis-typed the url and did code-project.com) check for that cookie and get my username and password? I'm mainly wondering this because cookies are a bit strange as a concept and I'm trying to learn more about them. Like they cannot automatically upload data to a site right? The page you visit has to know the cookies name and then request it... From a security perspective I'm just curious about cookies in general. Admittedly cookies are the least of my concerns (I hope) so call this a curiosity...
Some assembly required. Code-frog System Architects, Inc.
Don't Panic. Cookies are text files - no executables there. They're also domain-specific; only the domain that created the cookie receives it. Cookies are an attempt to add state to a TCP connection which is, by definition, stateless. You can block them using settings in your browser, but that will create more overhead when you repeatedly visit the same site. "...a photo album is like Life, but flat and stuck to pages." - Shog9
-
So for like the Nth time I've wondered about browser based cookies. I read this article http://www.codeproject.com/aspnet/aspnetcookies.asp[^]which talks some about cookie management and I can see how cookies must be handled. But from a security standpoint. When I go to a site and someone cookies my browser what all can they do? I'm guessing you can store whatever data in the cookie you want. Like you could have: cookie.name //where this is the name of perhaps the day of the week. cookie.date //where this is the current date. cookie.server //where this is the I.P. of the server I mean you can probably save a bunch of stuff in a cookie but I imagine there is a size limit. So what can spyware guys do with cookies? Can they retreive information from you? When I tell a site (like CP) to remember me they are just writing my username and password to the cookie right? Could someone on another site (say I mis-typed the url and did code-project.com) check for that cookie and get my username and password? I'm mainly wondering this because cookies are a bit strange as a concept and I'm trying to learn more about them. Like they cannot automatically upload data to a site right? The page you visit has to know the cookies name and then request it... From a security perspective I'm just curious about cookies in general. Admittedly cookies are the least of my concerns (I hope) so call this a curiosity...
Some assembly required. Code-frog System Architects, Inc.
I mean you can probably save a bunch of stuff in a cookie but I imagine there is a size limit. If memory serves me correct (and it hasn't been lately :)), it's 8K per cookie. At least on the older browsers. Could someone on another site (say I mis-typed the url and did code-project.com) check for that cookie and get my username and password? Nope. Cookies belong to the domain whether or not you specify it. From a security perspective I'm just curious about cookies in general. Admittedly cookies are the least of my concerns (I hope) so call this a curiosity... Information-wise, anything can be stored. They are often used to collect demographics about frequency of visits, what you like to shop for, etc. I'm sure there are some malicious uses, I just can't think of any off the top of my head. Jeremy Falcon
-
So for like the Nth time I've wondered about browser based cookies. I read this article http://www.codeproject.com/aspnet/aspnetcookies.asp[^]which talks some about cookie management and I can see how cookies must be handled. But from a security standpoint. When I go to a site and someone cookies my browser what all can they do? I'm guessing you can store whatever data in the cookie you want. Like you could have: cookie.name //where this is the name of perhaps the day of the week. cookie.date //where this is the current date. cookie.server //where this is the I.P. of the server I mean you can probably save a bunch of stuff in a cookie but I imagine there is a size limit. So what can spyware guys do with cookies? Can they retreive information from you? When I tell a site (like CP) to remember me they are just writing my username and password to the cookie right? Could someone on another site (say I mis-typed the url and did code-project.com) check for that cookie and get my username and password? I'm mainly wondering this because cookies are a bit strange as a concept and I'm trying to learn more about them. Like they cannot automatically upload data to a site right? The page you visit has to know the cookies name and then request it... From a security perspective I'm just curious about cookies in general. Admittedly cookies are the least of my concerns (I hope) so call this a curiosity...
Some assembly required. Code-frog System Architects, Inc.
Oh, and if you intend to work with cookies on the client (the old-fashioned way) with JavaScript, then use my code and vote me a gazillion 5s. :laugh: http://www.codeproject.com/jscript/parse.asp[^] If there's a bug in it, just blame someone else (kidding). Jeremy Falcon
-
So for like the Nth time I've wondered about browser based cookies. I read this article http://www.codeproject.com/aspnet/aspnetcookies.asp[^]which talks some about cookie management and I can see how cookies must be handled. But from a security standpoint. When I go to a site and someone cookies my browser what all can they do? I'm guessing you can store whatever data in the cookie you want. Like you could have: cookie.name //where this is the name of perhaps the day of the week. cookie.date //where this is the current date. cookie.server //where this is the I.P. of the server I mean you can probably save a bunch of stuff in a cookie but I imagine there is a size limit. So what can spyware guys do with cookies? Can they retreive information from you? When I tell a site (like CP) to remember me they are just writing my username and password to the cookie right? Could someone on another site (say I mis-typed the url and did code-project.com) check for that cookie and get my username and password? I'm mainly wondering this because cookies are a bit strange as a concept and I'm trying to learn more about them. Like they cannot automatically upload data to a site right? The page you visit has to know the cookies name and then request it... From a security perspective I'm just curious about cookies in general. Admittedly cookies are the least of my concerns (I hope) so call this a curiosity...
Some assembly required. Code-frog System Architects, Inc.
[sniff] Programming Question [/sniff] BTW, thanx for the topic. Web programming has always been an unseen land for me, so any info about it is good for me. Can't help you though :( Regards, Aamir
-
So for like the Nth time I've wondered about browser based cookies. I read this article http://www.codeproject.com/aspnet/aspnetcookies.asp[^]which talks some about cookie management and I can see how cookies must be handled. But from a security standpoint. When I go to a site and someone cookies my browser what all can they do? I'm guessing you can store whatever data in the cookie you want. Like you could have: cookie.name //where this is the name of perhaps the day of the week. cookie.date //where this is the current date. cookie.server //where this is the I.P. of the server I mean you can probably save a bunch of stuff in a cookie but I imagine there is a size limit. So what can spyware guys do with cookies? Can they retreive information from you? When I tell a site (like CP) to remember me they are just writing my username and password to the cookie right? Could someone on another site (say I mis-typed the url and did code-project.com) check for that cookie and get my username and password? I'm mainly wondering this because cookies are a bit strange as a concept and I'm trying to learn more about them. Like they cannot automatically upload data to a site right? The page you visit has to know the cookies name and then request it... From a security perspective I'm just curious about cookies in general. Admittedly cookies are the least of my concerns (I hope) so call this a curiosity...
Some assembly required. Code-frog System Architects, Inc.
code-frog wrote:
cookies are the least of my concerns (I hope) so call this a curiosity...
ZeePain! wrote:
This seems like one of those programs that started small, grew incrementally, building internal pressure, and finally barfed all over its source code sneakers. Or something.
-
Don't Panic. Cookies are text files - no executables there. They're also domain-specific; only the domain that created the cookie receives it. Cookies are an attempt to add state to a TCP connection which is, by definition, stateless. You can block them using settings in your browser, but that will create more overhead when you repeatedly visit the same site. "...a photo album is like Life, but flat and stuck to pages." - Shog9
-
Cookies are an attempt to add state to a TCP connection which is, by definition, stateless. I'm taking it you meant to say "HTTP" where it says "TCP"?
Yup. It was really late...:sigh: "...a photo album is like Life, but flat and stuck to pages." - Shog9
-
So for like the Nth time I've wondered about browser based cookies. I read this article http://www.codeproject.com/aspnet/aspnetcookies.asp[^]which talks some about cookie management and I can see how cookies must be handled. But from a security standpoint. When I go to a site and someone cookies my browser what all can they do? I'm guessing you can store whatever data in the cookie you want. Like you could have: cookie.name //where this is the name of perhaps the day of the week. cookie.date //where this is the current date. cookie.server //where this is the I.P. of the server I mean you can probably save a bunch of stuff in a cookie but I imagine there is a size limit. So what can spyware guys do with cookies? Can they retreive information from you? When I tell a site (like CP) to remember me they are just writing my username and password to the cookie right? Could someone on another site (say I mis-typed the url and did code-project.com) check for that cookie and get my username and password? I'm mainly wondering this because cookies are a bit strange as a concept and I'm trying to learn more about them. Like they cannot automatically upload data to a site right? The page you visit has to know the cookies name and then request it... From a security perspective I'm just curious about cookies in general. Admittedly cookies are the least of my concerns (I hope) so call this a curiosity...
Some assembly required. Code-frog System Architects, Inc.
code-frog wrote:
So for like the Nth time I've wondered about browser based cookies.
I must be thinking of something else. I thought you were asking about brownies and baked cookies. :) Marc VS2005 Tips & Tricks -- contributions welcome!
-
[sniff] Programming Question [/sniff] BTW, thanx for the topic. Web programming has always been an unseen land for me, so any info about it is good for me. Can't help you though :( Regards, Aamir
Not a programming question though (here) it easily could be. I am a network administrator for several small businesses and one in particular has some interesting questions for me on security and they were wondering about cookies. I recommended "The Cookie Lady" they accused me of being "baked" and then I realized they meant browser cookies so I came here thinking programming-dorks will know if anybody does... I'm actually baking a browser cookie to take over the world. It will be a super-cookie made up of smaller cookies called "chips". My cookie will infect the world with cookie-lust and snow storms. Yeah, you caught me. I've been reading way to much Calvin & Hobbes lately. Just can't help myself... Calvin's my hero.:) It used to be Shog but then I saw where he made a programming mistake and admitted it publicly. I didn't know Shog made mistakes so now he's 2nd on "The All Time Hero List" and Calvin is back at #1.:cool:
Some assembly required. Code-frog System Architects, Inc.
-
[sniff] Programming Question [/sniff] BTW, thanx for the topic. Web programming has always been an unseen land for me, so any info about it is good for me. Can't help you though :( Regards, Aamir
Aamir Butt wrote:
Programming Question
IMO not in the sense it is used here in "no programming questions". It is a pity that the "programming Question" ban seems to purge all technical topics from the lounge.
We say "get a life" to each other, disappointed or jokingly. What we forget, though, is that this is possibly the most destructive advice you can give to a geek.
boost your code || Fold With Us! || sighist -
code-frog wrote:
So for like the Nth time I've wondered about browser based cookies.
I must be thinking of something else. I thought you were asking about brownies and baked cookies. :) Marc VS2005 Tips & Tricks -- contributions welcome!
Marc Clifton wrote:
brownies and baked cookies
You would say that as I finish my salad for lunch (Mr. Waistline hasn't been a good boy lately :sigh:).
Software Zen:
delete this;