Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are HTTP cookies port specific?

Tags:

http

security

cookies

I have two HTTP services running on one machine. I just want to know if they share their cookies or whether the browser distinguishes between the two server sockets.

like image 537
guerda Avatar asked Oct 23 '09 08:10

guerda

People also ask

Are cookies specific to port?

Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server.

How does HTTP cookies work?

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user's web browser. The browser may store the cookie and send it back to the same server with later requests.

What is HTTP cookie Path?

The cookie-path is a prefix of the request-path, and the last character of the cookie-path is %x2F ("/"). The cookie-path is a prefix of the request-path, and the first character of the request-path that is not included in the cookie- path is a %x2F ("/") character.

Is cookie domain specific?

If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain. If a cookie's domain attribute is set, the cookie is applicable to that domain and all its subdomains; the cookie's domain must be the same as, or a parent of, the origin domain.

1 Answers

The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965 (both RFCs are now marked as "Historic") and formalizes the syntax for real-world usages of cookies. It clearly states:

  1. Introduction

...

For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a given cookie is intended for "secure" connections, but the Secure attribute does not provide integrity in the presence of an active network attacker. Similarly, cookies for a given host are shared across all the ports on that host, even though the usual "same-origin policy" used by web browsers isolates content retrieved via different ports.

And also:

8.5. Weak Confidentiality

Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server. For this reason, servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security sensitive information.

like image 108
Remy Lebeau Avatar answered Oct 04 '22 18:10

Remy Lebeau
Sign in to Comment

Related questions

Is either GET or POST more secure than the other?
Default SecurityProtocol in .NET 4.5
"Keep Me Logged In" - the best approach
How does Content Security Policy (CSP) work?
What are all the user accounts for IIS/ASP.NET and how do they differ?
Is "double hashing" a password less secure than just hashing it once?
How to redirect all HTTP requests to HTTPS
Practical non-image based CAPTCHA approaches?
JWT authentication for ASP.NET Web API
SPA best practices for authentication and session management
Why is it common to put CSRF prevention tokens in cookies?
PreparedStatement IN clause alternatives?
How are software license keys generated?
Why am I suddenly getting a "Blocked loading mixed active content" issue in Firefox?
Why would one omit the close tag?
Why is JsonRequestBehavior needed?
The difference between the 'Local System' account and the 'Network Service' account?
Worst security hole you've seen? [closed]
Are querystring parameters secure in HTTPS (HTTP + SSL)? [duplicate]
How to secure database passwords in PHP?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!