home | about

cookies
Work in Progress

Summary

Token based authentication

  • single-signed-on
  • token is the cookie
  • needs to be unpredictable

Concept

Cookies

  • data sent by the server in the HTTP response
  • stored in the browser
  • whenever the client revisits the website(same origin), the cookie is sent alongside the request/query
  • types:
    • Session cookies: expire after browser closes
    • Secure cookies: sent only over HTTPS
    • HttpOnly cookies: inaccessible to JavaScript
Client(Browser)ServerHTTPrequestHTMLresponse,tquery,treply

Same-Origin Policy

  • scripts running in the browser can access cookies if they have the same origin
  • origin - combination of protocol, hostname and port
  • scripts can include code in HTML files
  • weakness: ambiguous definition

Cookie stealing?