Check out a free preview of the full Web Security, v2 course
The "Cookie Attributes" Lesson is part of the full, Web Security, v2 course featured in this preview video. Here's what you'd learn in this lesson:
Steve discusses the attributes of a cookie, including expiration date and age. Steve also warns about using certain settings, such as the path and domain attributes, as they can have unintended consequences and potentially compromise security.
Transcript from the "Cookie Attributes" Lesson
[00:00:00]
>> Steve Kinney: Let's just talk about some of the attributes on a cookie, you can think about a cookie as like a key value store right. But then there are some special properties, right? That like are again that agreement, which is previously just an undocumented agreement, but as we saw before, as of 2011, we've got a standard for this stuff.
[00:00:17]
Some of the various different agreements of what should the browser do with this cookie, right? And so for instance we'll see a whole bunch of them that are more tightly related to security, but this is arguably one somewhat related as well, which is when should I get rid of this cookie, right?
[00:00:35]
You've got two options. You can set an expiration date, or you can also set just some kind of age like 24 hours, 30 days something along those lines, whatever works for your application, whatever works for your application, I think at one point, Google said some cookie. Until 38,which is by my guess, when we run out of 32 bit integers, which I think creeped a lot of people out, so generally speaking depending on what you're doing, obviously sessions or something along those lines.
[00:01:03]
Shorter, stuff like their settings or if they're in dark road or not, maybe you keep a little bit longer than that. But generally speaking, if you don't set one of these, you are for the duration of a session, right? And it's nuanced what exactly is a session, but let's assume closing the browser is the end of a session.
[00:01:22]
For our purposes, that's not always true, but generally speaking, it's a good heuristic. Which then brings up, how do we delete a cookie? And the answer to that question is you can't, kinda, right? You can't delete a cookie, you can set its expiration date to the past, right?
[00:01:41]
And then the browser will get that cookie again, and will see that it's like, it's set to last week. I am going to clear out a bunch of this as well. There's some other settings that you probably shouldn't use unless you deeply have a good reason, right? Cuz they have these weird, unintended side Yeah, side effects, side consequences, side-equences.
[00:02:03]
Unintended consequences, so for instance, the path one is like, hey, I only want it for these sub-directories. But there are all sorts of fun exploits with iframes, as we'll see, that kind of invalidate a lot of this as well, and a few others. So the domain one is super interesting- 16 as well.
[00:02:20]
You can say by default, it is for the given domain that you're on. But in this case, putting that dot in front of it would make it for frontendmasters.com and all of its subdomains. Now, we'll start out with the fact that there are some changes to the spec where you're actually trying to scope it down to a domain, you could accidentally make it less specific, right?
[00:02:45]
And we'll see some of that later. But also, it really depends, right on what the domain is. So for instance, you can say, cool, I want it for all the subdomains of my domain. That might be really great if you have login enterprise.com, right? No, I guess not enterprise credit card.
[00:03:02]
But well, your company.com and then, the www and maybe some other dashboard? Great, however, what if you were just hosting your page, GitHub.io or vercel.app? We'll talk about that as well. Every subdomain would mean everyone else who was also at Github.io. Right, again, it's like just adding a little property or just maybe something even you're like, this is something that has a server side framework set for you.
[00:03:31]
You didn't even realize it, but you just gave anyone else on that subdomain or anyone who get one of those subdomains, right? Which again, if you own the DNS, fine. But if it is something where you just have a subdomain, all right? Wide open for all that stuff.
Learn Straight from the Experts Who Shape the Modern Web
- In-depth Courses
- Industry Leading Experts
- Learning Paths
- Live Interactive Workshops