Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How browsers know what cookies to send to server when requesting?

I know how the cookies work, just started to dig why Codeigniter does not store generated csrf token in SESSION, it just store in cookie. Concerned about security, I'v started to think about php setcookie() function params such as path and domain. And I have asked myself is it possible to set 'evil_cookie' with a path='/' and domain = 'www.goodsite.com' from another domain, from some 'www.evilsite.com'? And another question is, will 'evil_cookie' be sent to 'www.goodsite.com' when performing request to 'www.goodsite.com'?

So, I did a test. I'v created 'set_cookie.php' file and uploaded it to some 'www.evilsite.com':

setcookie('evil_cookie', 'gotcha', time() + 60 * 30, '/', 'www.goodsite.com');

I was using Firefox and Firebug + Cookie plugins for viewing sent and received cookies. So, I did receive 'evil_cookie' after the request to 'www.evilsite.com/set_cookie.php'. However, the cookie was not saved (at least there was no such cookie when viewing in firebug cookie plugin panel). Nor it was sent when requesting again to "www.evilsite.com/set_cookie.php". Just received but not saved.

From the Firefox browser point of view, it's logical and secure to save cookie for current domain only. IMHO those set cookie() params such as path and domain are primarily for managing cookies for current domain and its subdomains but not for external domains. I was a little bit upset I was unable to find related info on php.net, so I'm not sure is it a browser related behavior and specifics how it deals with "3rd party cookies" or it's more a standard? Does all browsers behave the same? If there's any solid and reliable source for such statements please share.

That is also relevant to another use of cookies - store session data (without using PHP native sessions, for example Codeigniter does so). So, if all browsers do not allow to safe cookie with other than current domain then It's OK. However, it does not protect from CSRF as 'www.evilsite.com' might contain evil javascript code that will create 'evil_cookie' directly on the client when a user will perform and get a request from 'www.evilsite.com'.

like image 954
Centurion Avatar asked Jan 10 '12 15:01

Centurion


People also ask

How does browser decide which cookies to send?

There are a number of rules around when cookies may be sent, but the most basic rule is that cookies are only attached to requests to the same domain from whence they were set.

How does browser send cookie to server?

Cookies are sent by the browser to the server when an HTTP request starts, and they are sent back from the server, which can edit their content. Cookies are essentially used to store a session id. In the past cookies were used to store various types of data, since there was no alternative.

Are browser cookies sent with every request?

Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web Storage API ( localStorage and sessionStorage ) and IndexedDB.

Are browser cookies shared between servers?

Cookie is not shared among different browsers. Means, one browser cannot read the cookie stored by another browser even if it is same domain. As per HTTP protocol, size of the cookies cannot be greater than 4KB. Number of cookies sent by web server for a given domain cannot be unlimited.


1 Answers

Cookies are subject to the same origin policy: a site can only write and read cookies for its own domain.

like image 82
Sjoerd Avatar answered Oct 18 '22 08:10

Sjoerd