6 Replies - 1348 Views - Last Post: 20 May 2012 - 01:48 PM

#1 cupidvogel  Icon User is offline

  • D.I.C Addict

Reputation: 31
  • View blog
  • Posts: 593
  • Joined: 25-November 10

Are cookie info automatically sent to server on page request?

Posted 20 May 2012 - 12:13 PM

Hi, I am trying to understand cookies. Are the cookie information stored in a client's computer automatically sent to the server when the client requests a page from that site, either by clicking a link or entering the URL into address bar?
Is This A Good Question/Topic? 0
  • +

Replies To: Are cookie info automatically sent to server on page request?

#2 BetaWar  Icon User is offline

  • #include "soul.h"
  • member icon

Reputation: 1147
  • View blog
  • Posts: 7,136
  • Joined: 07-September 06

Re: Are cookie info automatically sent to server on page request?

Posted 20 May 2012 - 12:48 PM

Pretty much, yes. Cookies are sent to the server automatically when you make a request to the server, though only the relevant cookies are sent (thankfully). Javascript can be used to modify cookies from the client side.

So, when you make a request to google it sends all the cookies relevant to google with the request. Same with every other site out there.

The problem, as you may suspect, is that cookies are stored on the client's computer, meaning that the data in them can't be trusted outright. It may have been tampered with, or changed in a malicious way. For instance, if you are storing user ID in a cookie, then someone may modify their user ID to say '1' instead of whatever they would normally have. That would make them user 1, most of the time user 1 is also an administrator (being the first account created). But that isn't all, they could use any ID they pleased.

For these reasons most data being stored in cookies is normally hashed, or encrypted in such a way that the end user shouldn't be able to view its contents (at least not through typical means). I, for one, don't store user information in the cookies they have, but instead store a unique hash which correlates to a single row in a "sessions" database, which in turn correlates to a single user. If they don't have the correct hash then they aren't logged in. The hash is also not simple their ID or something like that hashed, but a longer string using things like session ID, timestamp, username, an additional string, etc. It can pretty much be whatever you want to use as long as it makes the hash harder to duplicate (if you just used a SHA2 hash with the user ID in it, then you really are just adding a step for the would-be hacker to add -- and don't use MD5, I believe it is broken at this point (can be un-hashed) or is close to it (within a couple of years) so it is best to use a longer hashing algorithm -- SHA is a good place to start).

Now, I know that this isn't all (mostly in fact) related to the Javascript question at hand, but looking at things in a bigger picture normally helps out :)

Hopefully this helps clarify your question.
Was This Post Helpful? 1
  • +
  • -

#3 cupidvogel  Icon User is offline

  • D.I.C Addict

Reputation: 31
  • View blog
  • Posts: 593
  • Joined: 25-November 10

Re: Are cookie info automatically sent to server on page request?

Posted 20 May 2012 - 01:00 PM

Wow, that helped me in loads! Thanks! Can you further elaborate on what and how should be cookies used for other than user-id to identify login-sessions? I guess the advantage cookies offer over just storing IP address of a logged in user in server database and provide an accordingly personalized page when a page request comes next time from that IP is that multiple computers can fall under same IP (router), or IP address of computer can change, whereas cookie uniquely identifies the computer, right?
Was This Post Helpful? 0
  • +
  • -

#4 BetaWar  Icon User is offline

  • #include "soul.h"
  • member icon

Reputation: 1147
  • View blog
  • Posts: 7,136
  • Joined: 07-September 06

Re: Are cookie info automatically sent to server on page request?

Posted 20 May 2012 - 01:18 PM

As I said in the previous post, you had best store something other than the user ID in the cookie, though there isn't really any standard for what that something is.

I generally just create an additional table in the database for sessions, and that session table. Now, this could be set up in numerous ways, but comes down to the basics: It needs a column for userID and another for uniqueHash. Then you simple store the uniqueHash value in the cookie and you will have a way to connect cookie and user without having something that can be easily modified (while remaining meaningful that is). You could go ahead and make it more difficult to modify by associating the IP address of the computer you gave the cookie to with the session row, then if they don't have the same IP and uniqueHash they aren't the same person (from your eyes at least). This would also enforce a potential automatic logout time, given that the IP will eventually change (I believe that my IP changes at least every 30 days). In general, I would suggest doing something like this with any important information you want to associate with a client computer.

It appears that you have already thought up the problem with just using an IP address - they change. However, it could be a bit worse than that. I don't believe that most ISPs guarrantee that you have a unique IP at any given time (meaning that someone else could have your same IP while you are using it). So, if you just use an IP address a completely unrelated client could come to your site and potentially have the same IP. Furthermore, there are programs out there to spoof IPs, or the client may be using a proxy at which point their IP isn't their own anyways. Lots of potential problems there.

Cookies can be used to uniquely identify a computer, they would also be used in other ways (such that they don't uniquely identify the computer at all, for instance, if you were storing page layout in a cookie for Javascript to modify the page on the fly when loaded -- lots of people could have the same page layout preferences), Cookies simply store data, whether that data is unique or not all depends on you and what you choose to store.
Was This Post Helpful? 1
  • +
  • -

#5 cupidvogel  Icon User is offline

  • D.I.C Addict

Reputation: 31
  • View blog
  • Posts: 593
  • Joined: 25-November 10

Re: Are cookie info automatically sent to server on page request?

Posted 20 May 2012 - 01:24 PM

Thanks. Apart from the user trying to tamper withe cookie data to pretend to be another user, or some other malicious reasons (which you say can be circumvented with encryption), are there any other security issues with cookies? And for the last part regarding the page-layout, why should I store the layout directives in a cookie rather than as basic Javascript within the document furnished so that it can render the document appropriately when loaded?
Was This Post Helpful? 0
  • +
  • -

#6 BetaWar  Icon User is offline

  • #include "soul.h"
  • member icon

Reputation: 1147
  • View blog
  • Posts: 7,136
  • Joined: 07-September 06

Re: Are cookie info automatically sent to server on page request?

Posted 20 May 2012 - 01:44 PM

Hm, I can't think of anything else, as far as security issues, just keep in mind that cookies can be modified or deleted at the client's will; so you have to be able to deal with corrupt and missing data.

Generally, you would use CSS to position the page appropriately, but there are cases when you want to be able to customize the page layout for users (think the iGoogle pages or something of that sort).

Cookies can be used for a lot of things - basically anything that you want to have available between different pages (and on the server side, though sessions are generally a better choice if you don't need the information across multiple browser sessions). There are a lot of potential uses for cookies (as you can guess), so the number of things you can do is limited only to your imagination.

Cookies can also be used to store information on the client side in older browsers (such as ones that don't support client-side databases or localStorage). Storing data on the client's computer will offer quicker access than attempting to send a request to the server and get the response.
Was This Post Helpful? 1
  • +
  • -

#7 cupidvogel  Icon User is offline

  • D.I.C Addict

Reputation: 31
  • View blog
  • Posts: 593
  • Joined: 25-November 10

Re: Are cookie info automatically sent to server on page request?

Posted 20 May 2012 - 01:48 PM

Thank you so much! One day, when I will do great things in the web-world, I will surely tell the world that how much this session had helped me! :bananaman:
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1