Abstract

Review cookies again. It seems that I already understand it, but in fact it is very profound and there are many things I don’t understand.

Cookies basics

  • Each cookie is a key-value pair along with a number of attributes that control when and where that cookie is used.
  • You can set a cookie in an HTTP header or through JavaScript interface.
  • Each cookie is a key-value pair along with a number of attributes that control when and where that cookie is used.

First-party and third-party cookies

  • Cookies that match the domain of the current site, that is, what’s displayed in the browser’s address bar, are referred to as first-party cookies.
  • Cookies from domains other than the current site are referred to as third-party cookies.

A number of security and privacy concerns

  • Cross-site request forgery (CSRF) attacks rely on the fact that cookies are attached to any request to a given origin, no matter who initiates the request.
  • You can explicitly state your intent with a cookie by setting the appropriate SameSite attribute.
  • By default,
    • cookies can be shared across sites
    • accessed by JavaScript
    • sent over HTTP connections, which comes with some privacy and security risks.

References