Cookie Structure

Cookie Structure

(domain) The website domain that created and that can read the variable.

(flag) A TRUE/FALSE value indicating whether all machines within a given domain can access the variable.

(path) The path attribute supplies a URL range for which the cookie is valid. If path is set to /reference, the cookie will be sent for URLs in /reference as well as sub-directories such as/reference/web protocols. A pathname of "/" indicates that the cookie will be used for all URLs at the site from which the cookie originated.

(secure) A TRUE/FALSE value indicating if an SSL connection with the domain is needed to access the variable.

(expiration) The time that the variable will expire on. Omitting the expiration date signals to the browser to store the cookie only in memory; it will be erased when the browser is closed.

(name) The name of the variable.

The limit on the size of each cookie (name and value combined) is 4 kb. A maximum of 20 cookies per server or domain is allowed.

Cookies are the preferred method to maintain state in HTTP protocol. They are however also used as a convenient mechanism to store user preferences and other data including session tokens. Both persistent and non-persistent cookies, secure or insecure can be modified by the client and sent to the server with URL requests. Therefore any attacker can modify cookie content to his advantage. There is a popular misconception that non-persistent cookies cannot be modified but this is not true; tools like Winhex are able to do the job. SSL also only protects the cookie in transit.

The extent of cookie manipulation depends on what the cookie is used for but usually ranges from session tokens to arrays that make authorization decisions.

Cookie Example

Cookie: lang=en-us; ADMIN=no; y=1; time=05:30GMT;

hacker can simply modify the cookie to;

Cookie: lang=en-us; ADMIN=yes; y=1; time=10:30GMT;