February 3rd, 2003, 03:23 AM
Alright, just a small tutorial on what a cookie is, really. I'm sure alot
of you have heard of cookies, just never really got the full understanding
of the different varieties, or use. So I decided that i would give an
overview, for the newbs and gurus alike.
A cookie is defined as information stored for future use on a server for
the client side of the communication. What it does is use the HTTP
(HyperText Transfer Protocol, port 80) gets a request and stores that
request in "cookies" Those cookies are then stored on your harddrive for
future use. For example, if you go to www.antionline.com, it has the
cookie file on your computer for past requests and then uses them for this
The cookie is actually stored in the Web Browser (Internet
Explorer, Mozilla, Netscape, Galleon, Opera etc) Where internet explorer
saves the files in a subdirectory. Opera stores them in a
cookies.dat.file, Netsacpe stores them in a cookies.txt.file.
Transient Cookies are a better use in my opinion. They are commonly called
session cookies, because they operate sessionly, meaning only while your
web browser is running. They are stored in a temporary file that is
deleted as soon as you kill your browser. They can be of use by enabling
site cookie usage that way you can browse more efficiently. For instance,
logging in on forums. While you are logged in and you have those cookies
set to use, you can browse logged in every time you refresh a page, go to
a different url on that server, etc.. Transient cookies can be used with
SSL (Secure Sockets Layer) to be encrypted so your information isnt stored
Cookies are a good use sometimes, but alot of the time its better to not use them. I
will go over why now.
What it is, in general is the modification of a cookie by an attacker.
This is used to achieve un-allowed information, for use such as indentify
theft, credit card theft, etc.. Bad Bad thing. Think about it if a
malicious attacker gains access and reads cookies of a place to where you
have recently purchased a product or something over the internet. Now the
user can guard against this by encrypting well. If a web site doesnt
encrypt its url's, cookie theft is much easier. All the attacker has to do
is then edit the cookie to his/her own use. Digital Signatures are
sometimes used to validate the content between user and sender request.
I didnt go over "how to steal cookies" for the reason that it is not
needed to be known by the common user. If you have such information, i do
not want it provided by me. I only talked about cookie poisoning to aware
the user of the dangers of visiting non-encrypted or non-signatured sites.