Cookies Overview

[00:00:00]
>> Steve Kinney: There's more than one way that kind of, we deal with identity on the web. But let's start with probably, I think it's safe to say the most common one, which is cookies, right? The web HTTP is effectively stateless, right? Which means there's no idea of you are logged in and authenticated except that we kind of cheat, right?

[00:00:23]
There is basically this mutually accepted by both servers in the browser, where you'd be you tell me who I am, server. I'm gonna hold on to that. I'm gonna keep reminding you of who I am on every subsequent request, which then takes a stateless protocol and has this idea of what we will in this workshop call a session.

[00:00:43]
Most of us I would assume have used the internet before and you do not necessarily need to be logged in but a common way is you've logged in now further requests are, you are you. And we'll kind of this tweet will now come from you because you have access to do it, you have access to these pages.

[00:01:01]
You can see these certain resources, you can put this stuff in your cart. And you don't necessarily need to be logged in, right? There's a whole industry of tracking and advertising that is just, they don't necessarily know who you are. They just know about all the guitars you looked at in the last week, all right?

[00:01:20]
And can show you reverb ads in the middle of researching a bunch of stuff on web security. And then you get distracted, and you go look at guitars for a little bit, so on and so forth. And sometimes you'll see the experience where you can add stuff to a shopping cart, then you go to check out, and you maybe you log in, or you create an account and your cart Is still persisted.

[00:01:40]
So on and so forth that's again cookies. So it's not always tied to, authentication and authorization. But for our purposes that's the one we're interested in finding some rondo shopping cart without any payment information. Sure steal that cookie, I guess. But usually you want the one with the credit card attached to it.

[00:01:59]
And for our purposes, we care mostly about that kind of authenticated user session, but obviously cookies are used for a bunch of things and the technology works either way. And the interesting part about cookies is like many things on the Internet, the original implementation was kind of fast and loose, right?

[00:02:18]
There is, story with the image tag, which is, there was a whole long thread when we're gonna add images to web pages about what does the semantics of the image tag be? And Netscape got annoyed and just shipped the image tag that we all know and love today.

[00:02:33]
And it's well, we did it. And so that's the one we have now. And that's why we have six others at this point, very similar Netscape again, in 94 I think the original implementation, they only spent a few days on it, and it had no spec whatsoever. It was just a thing that Netscape did, most of the early stages of the internet now, also all of us who write JavaScript have a lot of empathy for our good friend ES4, which never actually existed.

[00:03:05]
There was an attempt to standardize it in 97. Another one called Cookie2, which were incompatible changes, right? And that's a theme that we're gonna see, which is there are some things on the web that we know are broken. And we know are terrible, but you can't break the web sometimes you can.

[00:03:23]
Sometimes Google and Chrome will just decide new rules, deal with it. But generally speaking, some of the worst parts of securing your web application are choices people made during the grunge era right, and now we live with them. So yeah, an attempt to specify in 2000, and then finally, in 2011, we actually got a real spec for it.

[00:03:47]
But that means that there was more time that it was completely unspecced than we've actually had it, with actual specification and actually rules. And kind of cross browser support. The nice part is, we live in the web standards world now where, luckily, a lot of these things are easier, not always the case.

[00:04:06]
We'll see different browsers roll stuff out at different times, and eventually, all of them, sometimes maybe, but a cookie is set as a header, right? We will spend a lot of time to actually, you will not only learn how to secure your web app, you will also just learn way more than you ever wanted to know about how the web actually works in the HTTP protocol.

[00:04:32]
And how servers and browsers do their dance together as a accident because ultimately that is what we are trying to secure. So, when we've got a cookie that has been set, there's a set cookie header on a response, and then the browser is, I will hold on to that value, and we'll kind of see where Chrome can hold on to it, and we can see the cookies.

[00:04:53]
And then on subsequent requests, and we'll talk about, for how long and why, and whatever. It's hey, remember when you told me, after I logged in that my username or my session ID was whatever I'm reminding you again, this is who I am. And this is critical to securing our applications, because if somebody else can say I am Bobby Tables in this case, right then, guess what?

[00:05:17]
As far as the service concerned, they are, right? There's not extra, there is little things you can do or bigger things, right, two-factor auth, so on and so forth. But it is somewhat difficult to then if you can say that, if you can prove that you are, even if you're not, the person who really is that person has a real problem.

[00:05:38]
And so we'll kind of see how to deal with that as we go along. And it's weird, right? Most things, there is a document.cookie in the DOM that you can access. And it's kind of weird, which is if you then set it to different values as you go along, you're this should change the cookie completely.

[00:05:56]
It doesn't, just actually appends it to the cookie, right? And this is kind of the initial first thing of this stuff is weird, and that's kind of what makes it a both really interesting attack vector. And a somewhat one that if you're kind of just going in with the I know how JavaScript works.

[00:06:12]
I know how the web works, you will have these little blind spots that, again, nobody really likes to deal with this stuff. Nobody really likes to be the person responsible for the multi-million dollar vulnerability, and we will see some of those as we go along. And so, it's these little places in the gaps in our understanding where the attackers thrive, right?

[00:06:37]
And so we'll kind of play around with that. In at any point you can do this on any webpage because again the web is code executing in your browser. You can open up the developer tools and go to the application tab and you can kind of see that sidebar.

[00:06:52]
You can see the cookies that are set on your browser right now. Now it is just one string right? But the browser kinda looks for the semicolons, parses it out, and puts in a table for you, and you kinda get a sense as you're developing, are these behaving the way I think they are?

[00:07:09]
Do these look correct, and so on, and so forth? I also bring this up because we're gonna work on a bunch of apps, we're gonna break into them, we're probably gonna wanna clean up after ourselves occasionally. You can go in here and delete your cookies as well.