Secure (Encrypted) Client Browser Cookie Programming

Here are my notes on client internet browser cookie files —user and programming together in one place.

Cookies are a general mechanism which server side connections (such as CGI scripts) can use to both store and retrieve information on the client side of the connection. The addition of a simple, persistent, client-side state significantly extends the capabilities of Web-based client/server applications.

This Page:

Site Map  
About this site  

Uses for Cookies

Here are the top 5 ways cookies can be used to personalize a site with information obtained from the user:

• Greet the user by a name provided by the user from a previous session

• Display the user selection of background color, image, etc.

• Display special messages for first-time or returning visitors

• Allow the website to save the URL which referred the visitor to a website. This is good to track search engine referrals or to to pay affiliate referral "click through" commissions.

• Allow the user to bypass login and password entry.

The Problem With Cookies

1. Many websites do not bother to encrypt the value they store in cookies. So your password or other private information may be stored without your knowledge. Some programs (such as Gator) copy all the cookie files on your hard disk to "target" what advertisements to send you.

2. Not every browser is "cookie friendly", even though almost all the most popular browsers can read and write cookies.

3. A user may have set their browser to not accept cookies., such as from Tools -> Internet Options... -> Privacy -> Advanced, Check "Override automatic cookie handling"

4. When a browser loads, it reads all the cookies into memory. This slows down the browser and takes up memory.

5. A server, when returning an HTTP object to a client, may also send a piece of state information which the client will store. Included in that state object is a description of the range of URLs for which that state is valid. Any future HTTP requests made by the client which fall in that range will include a transmittal of the current value of the state object from the client back to the server. This takes up bandwidth which may slow applications.

6. No more than 20 cookies can be saved per domain name or 300 cookies in total.

7. Cookie text are truncated if they are larger than 4 KB (4,000 characters) after being combined with OPAQUE_STRING.

8. The MS.NET framework 1.0 has a known cookie buffer overrun vulnerability.

Cookie Data Structure

classic ASP Cookie Debugger by Lewis E. Moten uses the following knowledge:

Each domain can hold several cookies.

The number of cookies within a domain can be obtained as an attribute of the Cookie method within the Request class:

i = Request.Cookies.Count

Each cookie can hold several crumbs. The number of crumbs within a cookie can be obtained from

j = Request.Cookies( i ).Count

The key of each crumb can be obtained from

Server.HTMLEncode(Request.Cookies( i ).Key( j ))

The value of each crumb can be obtained from

Server.HTMLEncode(Request.Cookies( i )( j ))

Configuring Cookie Acceptance

Cookies are set on or off from either the Tools menu or the Options menu.

On Microsoft Internet Explorer version 6 (IE6) that comes with the Windows XP operating system:

1. Click Tools, Internet Options, Security tab, Custom Level button.
2. Scroll down the Security Settings to Userdata persistence.
3. Click radio button Disable or Enable cookies.
4. When you click OK, a Warning will appear to make sure you're sure.
5. Click OK to close Internet Options. You do not need to reboot the machine.

Cookies are stored ???

Setting (Saving) Cookies

function SetCookie (name, value) { var argv = SetCookie.arguments; var argc = SetCookie.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = "/"; //(argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; document.cookie = name + "=" + escape (value) + ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) + ((path == null) ? "" : ("; path=" + path)) + ((domain == null) ? "" : ("; domain=" + domain)) + ((secure == true) ? "; secure" : ""); }

A cookie is introduced to the client by including a Set-Cookie header as part of an HTTP response generated by a CGI, ASP, or other server-side script.

Cookies are saved into "document.cookie".

ASP.NET Does Not Encode Cookies in UrlEncode Format by Default
So to ensure that cookie values do not have spaces, commas, or semicolons, built-in Javascript functions escape() and unescape() coverts and uncoverts those characters. For example, a space is converted to %20, etc.

Cookie Content Format

Set-Cookie has four parts:

• NAME=VALUE; -- the only required field.
• expires=DATE; based on RFC 822, RFC 850, W3 RFC 1036, and RFC 1123, with the variations that the only legal time zone is GMT and the separators between the elements of the date must be dashes.
• path=PATH; The path "/foo" would match "/foobar" and "/foo/bar.html".
• domain=DOMAIN_NAME; -- host name of the server which generated the cookie response.
• secure -- an optional field. If secure is not specified, a cookie is considered safe to be sent in the clear over unsecured channels. A cookie marked secure will only be transmitted if the communications channel with the host is a secure one. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers.

Netscape's PERSISTENT CLIENT STATE HTTP COOKIES specifications

Other Explanations

Thau! on Webmonkey.com
Javascriptsource.com/
CodeProject's explanation

Application level Cookie Management for ASP.NET apps posted October 24, 2004 3:48 PM by Rick Strahl

Getting (Retrieving) Cookies

For a pop-up of the cookie value for the current page, type on the IE Address bar:

javascript:alert(document.cookie);

Within a Javascript source:

function getCookieVal (offset) {
   var endstr = document.cookie.indexOf(";", offset);
   if (endstr == -1)
      endstr = document.cookie.length;
return unescape(document.cookie.substring(offset, endstr));
}

function GetCookie (name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
   while (i < clen) {
      var j = i + alen;
      if (document.cookie.substring(i, j) == arg)
         return getCookieVal (j);
      i = document.cookie.indexOf(" ", i) + 1;
      if (i == 0)
         break;
   }
return null;
}

Deleting Cookies

To delete cookies on a client machine, use a tool such as Pest Patrol or manually go to the Cookies folder within each user's "Documents and Settings" folder.

Returning a cookie with the same name and an expires time which is in the past deletes the cookie. The path and name must match exactly in order for the expiring cookie to replace the valid cookie. This requirement makes it difficult for anyone but the originator of a cookie to delete a cookie.

To delete programmatically in ASP.NET, using an Expiry date of

DateTime.Now.AddYears(-30)

This is the safest (and most symmetric) way. Do not use Response.Cookies.Remove("MyCookie") because to IE this tells the cookie not to overwrite the client's cookie.

Testing Cookies

LoadRunner script commands to manage cookies:

• web_cleanup_cookies(); for C

  lrapi.web.cleanup_cookies() for Java/Javascript

  Removes all the cookies that are currently stored by the Vuser while the Vuser script runs.

• web_remove_cookie ( "c1" );

  Removes the cookie named "c1" from the list of cookies available to a Vuser, regardless of domain and path.

• web_add_cookie ("client_id=c1; path=/; expires=Wednesday, 09-Nov-2004 23:12:40 GMT; domain=www.cnn.com", LAST);

  Adds a new cookie or modifies an existing one named "c1".

• web_reg_add_cookie ("client_id=c1; path=/; expires=Wednesday, 09-Nov-2004 23:12:40 GMT; domain=www.cnn.com", "cookie", LAST);

  Registers a search for a text string and adds a cookie if the text is found.

Remember to vary the date/time stamps.