Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.
Internet Cookies, Privacy, and Security
Abstract – Surfing in different websites is the most common activity on the internet. When people use internet pages, they usually face with many cookie alerts. Most of the people are bothered by the cookies alerts. But what are these bothering alerts? Do people read the cookies policies before accepting them? In most of the cases, the answer is just no. Most of the people tend to accept cookies without knowing what they are and why they are appearing in their browsers. This paper firstly represents the concept of internet cookies, their technical function, and usability to continue with an analytical view of the privacy and security aspects of cookies. A demonstration of cookies abuse is given by using the hijacking session as an example. Two different solutions are represented and compared to mitigate cookies abuses.
Key Words – cookies, authentication, session hijacking, HTTP protocol, security attacks.
- COOKIES, ATTRIBUTES, AND CLASSIFICATION
Web or HTTP Cookies are small pieces of information sent back and forth from a server to a browser [LaCroix et al. 2017]. Cookies were first created by Lou Montulli an employee in Netscape who named them after a computer term “magic cookie”, a data token passed from a party to another [LaCroix et al. 2017], [Wu et al. 2010]. Cookies help a web server to maintain a state. When a server responds to a client request, at the same time the server can save information for that client and return to it at a later time. [LaCroix et al. 2017].
Figure 1 Cookies Working Process [ Li et al 2013]
Cookies have gained a wide range of usage by browsers and web applications due to their simplicity and efficiency. They can be found in almost every web application for maintaining session states, authenticating, personalizing and tracking user behaviors [Yue et al. 2010], [Aladeokin et al. 2017].
A web application generates cookies with name-value pair attributes, containing information about the session stored in the browser. Generated cookies can be sent to the browser using the set-cookie HTTP response header field [Ayadi et al. 2011]. Once cookies are accepted by the client and stored in the browser, they will be attached to each request that the client sends to the web application [Dacosta et al., 2012].
The optional attributes within cookies are the domain, path, and max-age. Domain attribute specifies the destination domain of a cookie, path specifies a targeted URL path, and max-age determines the lifetime of a cookie. [Yue et al 2010], [Ayadi et al. 2011].
Based on the origin and destination, cookies are classified as first-party cookies and third-party cookies [Yue et al 2010]. First-party cookies can be created by the website which the user is currently visiting, while third-party cookies can be generated by a website other than the website that the user is visiting [Javed et al., 2014]. Furthermore, based on their lifetime, cookies are classified in session cookies and persistent cookies [Ptthacharoen and Bunyatnoparat 2011]. Session cookies have zero lifetime they are stored in memory and deleted immediately after the user closes the browser. Persistent cookies have a non-zero lifetime, and they are stored in hard disk until deleted by a user or expired [Yue et al. 2010].
- PRIVACY AND SECURITY
- AUTHENTICATION COOKIES, SESSION HIJACKING ATTACKS
When user authentication credentials are successfully validated, the web application generates authentication cookies and send them to the browser [Dacosta et al. 2012]. Based on cookies scope and flags, the browser attaches these cookies to each request that requires authentication. Once established, they can temporarily replace users’ password credentials, so it is vital for authentication cookies to be carefully constructed to prevent potential abuses [Calzavara et al. 2015]. Even though web applications usually use cryptographic methods and algorithms to build authentication cookies, these mechanisms cannot guarantee confidentiality and integrity, so attacks still may happen based on how cookies are used [Dacosta et al. 2012].
The Session Hijacking Attacks:
Since cookies do not change during their lifetime, if attackers steal authentication cookies, they will be able to imitate the user related to these cookies until their expiration [Wedman et al. 2013]. The case when the attacker takes control of the user’s session it is known as session hijacking.
Figure 2: Session Hijacking [Dacosta et al 2012]
As depicted in the figure, for each request in the web application the victim uses an authentication cookie which is sent through an unprotected network, therefore is caught by an attacker that can overwatch the session. To commit the attack, the attacker can use tools such as FireSheep and finally use the stolen cookie to make random requests to the web application until the cookie expires [Dacosta et al. 2012]. Even though session hijacking attacks are known from the past, several factors have increased the risk of these threads, such as high popularity and importance of web application, augmentation of wireless networks, especially open wi-fi networks and the delivery of several automated easy-to-use tools that execute session hijacking. [Dacosta et al. 2012].
- SOLUTIONS AND COMPARISON
Many solutions are represented to prevent stealing of cookies throughout the session hijacking. This paper will analyze and compare two solutions for hijacking session threats: Synchronized State Protocol and One-time Cookies (OTC).
Synchronized State Cookie Protocol
Takahashi et al.  represented Synchronized State Cookie Protocol as an efficient method to prevent Cross Scripting Attacks (XSS) which consequently makes possible prevention of session hijacking. This method uses one – time password and challenge-response authentication. Based on the one-time password, server, and user, both share the same password that is renewed every fixed time. This password needs to be synchronized at all the times. Furthermore, challenge-response authentication as the second feature of this method works in this way: the server sends a challenge value to the user as a response to an authentication request. The server checks whether the value sent by user matches with the its calculated value and based on it decides whether to give the user access or not.
There are some advantages using this method since even in the case of Cross Site Scripting Attacks (XSS), the attacker cannot abuse with the cookie after the cookie expires. However, as mentioned by Takahashi et al. , this method does not guarantee that attackers cannot succeed with impersonation since they can use the cookie before it expires. Some websites use long expiration times for cookies to avoid corruption of user experience. When cookies stay for a long time in user browser, they can be hijacked by the attacker which can impersonate the user until the cookie expires. Furthermore, as explained by Takahashi et al. , the usage of challenge-response authentication creates latency in client-server communication which can result in bad user experience.
One – time cookies (OTC)
Another alternative for authentication cookies is given by Dacosta et al.  as a mechanism to replace authentication cookies with One-time cookies or OTC, which provides more robust defense against hijacking attacks. In this model, authentication and management sessions are separated. To protect the setup of its credential, OTC relies on HTTPS.
In order to design a robust OTC, the mechanism should have these properties: Session Integrity, statelessness, robustness, performance and scalability, usability, concurrency and browser support [Dacosta et al. 2012]. The protocol represents the creation of a unique token per request, so the same token cannot be reused for different requests.
Figure 3 Flow diagram of web session using OTC [Dacosta et al, 2012]
Based on Dacosta et al. , OTC is not only resistant to hijacking sessions but also has the simplicity and performance benefits as shown in cookies. OTC model was implemented as a WordPress plug-in with less than 200 lines of code that substitute create and verify functions of authentication cookies [Dacosta et al. 2012].
Comparison of models
The model represented by Dacosta et al.  is a good potential alternative for cookies authentication. Different from Takahashi et al.,  approach, OTCs are not designed for mitigation of XSS. However, OTCs are carried out only through HTTPS, so XSS attacks cannot succeed. But still, not all the websites use HTTPS on their pages for user authentication tokens. Google released a report in 2016 where it revealed that many well-known websites such as ebay.com and imdb.com do not use SSL/TLS by default [LaCroix et al. 2017].
Figure 4 Comparison between Synchronized State Cooke Protocol and OTC
This paper has presented a technical and analytical approach of internet cookies, their functionality, and usability. Since the usage of cookies for managing web states arise privacy and security concerns, it is imperative to understand websites vulnerabilities and potential threads of cookies. Well-known website attacks such as XSS may be followed by session hijacking which results with stealing authentication cookies. Synchronized State Protocol and OTC are presented as solutions for preventing authentication data stored in cookies. Based on analysis and comparison, the first solution is better with mitigating XSS attack; however, it represents problems with latency due to challenge-response authentication. The second solution represents a more robust alternative for authentication cookies and it runs only on HTTPS. However, none of these methods can offer any solution for social engineering attacks or malware attacks.
In conclusion, there are no hundred percent secure alternatives for data privacy on the internet. It is the responsibility of both server and client to contribute in preventing website attacks and maintain cookie sessions and data integrity and confidentiality. Mitigation of cookies abuses can be established by having well developed and maintained websites and web servers. Also, the user should be well informed about the usage of cookies before accepting or declining them. In general, when it comes to data privacy, using HTTPS channels and avoiding public network for making financial transactions or transmitting sensitive data is an essential step toward protecting cookies from hijacking sessions as well as preserving data integrity and confidentiality.
 A. Aladeokin, P. Zavarsky, N. Memon, 2017. Analysis and compliance evaluation of cookies-setting websites with privacy protection laws, 12th International Conference on Digital Information Management.
 A. Javed, C. Merz, J. Schwenk, 2014. TTPCookie: Flexible Third-Party Cookie Management for Increasing Online Privacy, IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.
 B. Li, S. Lv, Y. Zhang, M. Tian, 2013. The application research of Cookies in network security, International Conference on Sensor Network Security Technology and Privacy Communication System.
 Bugliesi, M., Calzavara, S. Focardi, R., Khan, W., 2015. CookiExt: Patching the browser against session hijacking attacks.
 Calzavara, S. Tolomei, G. Casini, A. Bugliesi, M. Orlando, S. 2015. A Supervised Learning Approach to Protect Client Authentication on the Web.
 Dacosta, I. Chakradeo, S. Ahamad, M. Traynor, P. 2012. One-time cookies: Preventing session hijacking attacks with stateless authentication tokens.
 F. Nosheen, U. Qamar, 2015. Flexibility and privacy control by cookie management, Third International Conference on Digital Information, Networking, and Wireless Communications.
 H. Wu, W. Chen, Z. Ren, 2010. Securing Cookies with a MAC Address Encrypted Key Ring, Second International Conference on Networks Security, Wireless Communications and Trusted Computing.
 I. Ayadi, A. Serhrouchni, G. Pujolle, N. Simoni, 2011. HTTP Session Management: Architecture and Cookies Security Conference on Network and Information Systems Security.
 K. LaCroix, Y. L. Loo, Y. B. Choi, 2017. Cookies and Sessions: A Study of What They Are, How They Work and How They Can Be Stolen, International Conference on Software Security and Assurance.
 O. Sörensen, 2013. Zombie-cookies: Case studies and mitigation, 8th International Conference for Internet Technology and Secured Transactions.
 R. Putthacharoen, P. Bunyatnoparat, 2011. Protecting cookies from Cross Site Script attacks using Dynamic Cookies Rewriting technique, 13th International Conference on Advanced Communication Technology.
 Wedman, S., Tetmeyer, A., Saiedian, H., 2013. An Analytical Study of Web Application Session Management Mechanisms and HTTP Session Hijacking Attacks.
 Yue, C., Xie, M., Wang, H., 2010. An automatic HTTP cookie management system.
If you need assistance with writing your essay, our professional essay writing service is here to help!Find out more
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please: