There're cookies in my browser! — Cookie & Session

Author: @AGa Aga Date: Oct 8, 2020 Tags: 延伸閱讀備註: 延伸閱讀 is really awesome. Give it a look! 性質: Tech Share

http is stateless
Session is a concept
The technique allows clients and servers that wish to exchange state information to place HTTP requests and responses within a larger context, which we term a "session". (from RFC-2109)
Cookie is a technique
It describes two new (http) headers, Cookie and Set-Cookie, which carry state information between participating origin servers and user agents. (from RFC-2109)

Session Prediction
- Technique：If the SessionID is too weak (short, predictable patern...), then the attacker can guest or bruteforce it.
- Protection
  - Use SessionID analysis tool to evaluate the randomness and unpredictability
  - Use standard library
Session Hijacking
- Technique：Hijacking means to take control of or use something that does not belong to you for your own advantage. There are many methods to hijack the Cookie.
  - XSS
  - ARP spoofing
- Protection
  - Set the HttpOnly attribute of the Cookie (Can't use by JavaScript)
  - Set the Secure attribute of the Cookie (Can only be include when using secure channel)
  - Re-authenticate the user before performing critical operations (Ex: enter the password)
Session Fixation
- Technique：Inducing the victim visiting the website using specific Cooike, which is control by the attcker.
- Protection
  - Change SessionID right after successful login
  - Don't use GET/POST to transmit SessionID

A piece of data transmitting between different domain. Unix 'magic-cookie'.