Cookie (Part II)

The basic definition of Cookie is here. Now, let us dive deep into this topic with everyday life.


You have a house named "Happy Home" which is 1000 square feet in size and you have a main door key that is a number lock system. You know the PIN to open your house's main door and the PIN has to be changed periodically. Suppose, today is Nov 2, 2023, and the PIN has to be changed on 1st of Jan, 2024. 

Now, you will have three different scenarios.

1) Each room has a separate PIN that includes the main door. Once you open the door, you can access only the living room, and the rest of the rooms are locked and cannot open because you don't know the PIN (to access).

2) The living room and the master bedroom have the same PIN. Once you open the door, you can access the living room and your master bedroom (locked earlier) using the same PIN. 

3) The main door has a number lock. The rest of the room doors are already open and have no lock system. In this case, if you open the main door, you can go to any of the rooms in the house.

By using the above three scenarios, I hope it is easy to understand the cookies well.

An example of a Set-Cookie to understand how a cookie looks like

Set-Cookie: __Secure-1PSIDCC=ACA-OxNDpum4KIyX29Iws89vtjBmstEg6yVwiIZA6V0wFaISM4p8MGOV-MEyGTEOkYipfvdxi0I; expires=Fri, 01-Nov-2024 15:13:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; priority=high

Below are the attributes of the cookies.

Cookie name: Your house is the cookie name. The name of the cookie is case sensitive and contains any ASCII characters except space, tab, and one of the special characters ( ) < > [ ]  @ \ / , ; : “ ?

Sometimes cookie name starts with __Secure, __Host. 

  • __Secure should have a secure flag from the secure page (HTTPS)
  • __Host should have a secure flag from the secure page (HTTPS) with the path /

Cookie Value: "Happy Home" is the cookie value. The cookie values will be generated by the server to send the data.

Domain: The address of the house points to the domain (Internet address of a website). 

  • Example: www.blogspot.com. In this example, www is a sub-domain, blogspot is the domain name and .com is the top-level domain. The root domain (blogspot.com) is the combination of domain name and top-level domain. 

Path: It shows the direction which helps to reach the destination easily. We call it an Endpoint here. It plays a major role with domain to set the scope of the cookie. If the domain and path match, then the cookie will be sent in the request. The path should always have a forward slash (/) used to delimit directories and subdirectories.

Expires: The cookie will be deleted after the mentioned date and is no longer available if it's a session cookie. This is similar to how the main door PIN expires on 31st Dec, 2023.

Max-Age: How many days are left to change the PIN? As per the above date of the main door PIN, 59 days is the Max-Age. 

Size: 1000 square feet is the size. The maximum size of a cookie is 4096 bytes and a site can store up to 20 cookies. When trying to send more than the allowable bytes, the web page refuses to serve and displays a 400 (Bad Request) status code.

HttpOnly: HTTPOnly is similar to a grilled gate fixed with the main door or considered a double door. It helps to prevent attacks to some extent. The cookie can be sent when the HttpOnly attribute is set using Javascript but it can not be accessed through the document properties.

Secure: The PIN will be known only to the owner or who lives in the house. When others are trying to open with the wrong PIN, it is restricted. It means when the request is sent only through the secure channel called HTTPS, this attribute confirms the browser to send the cookie.

SameSite: This attribute helps the cookies to be sent to cross-origin HTTP requests. There are three values of this attribute strict, lax, and none. 

  • Strict: Cookies can be sent for same-site requests only. This depicts scenario 1: You can roam around the living room again and again but cannot have access to the rooms inside the house.
  • Lax: This depicts scenario 2: You can open the main door but other doors are closed in the house. If you enter the master bedroom PIN, you can have access to the room.  Similarly, "lax" enables you to go to different sites if you click the link available on the main page. This is the default setting when the Samesite is not set anything.
  • None: This depicts scenario 3. It accepts cross-site requests as well as same-site HTTP requests.

Partition Key: Two values "None" and "Partitioned". If the Partition key is enabled, it is considered as "Partitioned". The cookie should be stored using partitioned storage (CHIPS - Cookies Having Independent Partitioned State) in a separate cookie jar per top-level site. It helps to improve user privacy and security. When it is partitioned, the cookie will have a host key and a partition key (Double-key-ed)

Priority: Low, Medium, and High are set based on the priorities. Medium is the default priority when this attribute is not set.

I have covered real-life examples to make the understanding better. This is a never-ending learning to understand the cookie.



Comments

Post a Comment

Popular posts from this blog

How to Install Jenkins

Image
Jenkins is an open-source Java application server for Continuous Integration and Continuous Delivery (CI/CD). This will run in servlet containers such as Apache Tomcat. It helps the developers to build, test, and deploy the software by automating using CI/CD pipelines. It detects bugs and notifies the developers in an early stage. How to Download and Install: Step 1: Go to https://www.jenkins.io/ . Click Download Step 2: Download Jenkins ‘Generic Java package’. I prefer to download the LTS package (It is a stable one). Step 3: Select your desired path after downloading and save the Jenkins.war file in your local system. Step 4: Go to command prompt (Windows) | Terminal (IOS)                Go to the folder where the war file is saved. Then, type the command java -jar Jenkins.war and run it. It will take a while to run the command. It gives an admin password. Note it down to use Jenkins the first time. The password will be saved in the Jenkin path. Step 5: Go to the browse
Read more

HTTP Payloads

Image
 What happens when I send a letter without information to the receiver that I require some details from them? What happens when the receiver writes a response to my letter without having the information I need? This information is similar to the body generally called a payload in HTTP request and response.  Let us see the payload in the HTTP request and HTTP response individually. I have added the below image to explain the HTTP request and response body/payload in JSON. I have used BurpSuite to take this image and Swagger Petstore (petstore.swagger.io) for this example. HTTP Request Payload Generally, the payload is not required for all the requests and responses. GET and HEAD methods usually do not require a body while sending a request to the server. The above example is a POST request to create a resource name 'doggie'. To achieve this, I should send some information about the resource which is called HTTP request payload. Breakdown of request payload: Content-Type:  Specif
Read more

Variables in Postman

What is a variable? This is the basic question to learn when you start programming. I am not going to dive deep into the programming concepts. Let me explain the variables used in Postman. What is a Variable in Postman? A data unit, that stores a value and it is dynamic based on the data type we use.  Should be written as Key: Value pair (Example: name= "Test"; num=1;) Provides the facility to access the value without manual effort every time. There are 5 different scopes of variables used in Postman. Global Variables Environment Variables Collection Variables Data Variables Local Variables These variable scopes are specially designed to refer to values in the Postman tool. Global Variable:          When the variable is assigned globally, it has all the privileges of accessing anywhere in the workspace such as the Environment, Collection. Environment Variable:          It is limited within the specific environment where you can access data between collections. Collection Vari
Read more