Photo by Vyshnavi Bisani on Unsplash
Session cookies as targets for criminals
Stealing from the Cookie Jar
In the early days of the Internet, JavaScript and cookies were considered evil and dangerous constructs that could be misused to execute code and secretly store tracking information. Users who valued security disabled JavaScript and simply banned cookies, with few exceptions. Today, both concepts are an integral part of the Internet. Responsive web applications can be created quickly with the use of comprehensive libraries and APIs on the server for all communication. Static API keys, JSON web tokens (JWTs), or simply session cookies, which are essentially dynamic API keys, are used to secure user activities.
Session cookies are small snippets of information that web applications use to reference temporary information about a user's session, making it possible to identify a user visiting a website without the need constantly to re-authenticate. Typical session information includes login status, shopping cart content in online stores, and user configurations. As such, session cookies form the basis for web applications.
Session cookies are normally stored in the web browser's cache on the user device, and you can view them with developer tools (Figure 1). Unlike permanent cookies, which the browser also stores on disk, session cookies only need to be stored in the browser's working memory. You can access this memory area from the browser's sessionStorage API. The information is then only available while the browser is running. As soon as the user closes the browser window, the data disappears automatically, which makes the approach more secure because no data remains permanently on the device. However, many applications also store their data cookies in the browser's local cookie store so that they are also available in other windows of the same application.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Searching for security flaws and exploits with Burp Suite
You can strengthen your web security by testing for common vulnerabilities. We show how to do this using the attack proxy known as Burp Suite. -
A REST interface for FreeIPA
Access to the FreeIPA identity management framework is usually handled via a graphical web interface or a command-line tool, but the framework can also be queried directly via the JSON-RPC API. -
Identity and access management with Authelia
Add access controls to web applications that do not have their own user administration; however, this useful gatekeeper requires a reverse proxy. -
Credential harvesting at the network interstice
To thwart credential harvesters at the network interstice, you must understand how attackers exploit browser transactions. -
TCP Fast Open
With TCP Fast Open, Google introduces a protocol extension implemented in the Linux kernel that avoids unnecessary latency in network traffic and promises up to 41 percent acceleration, depending on the application.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
