The Secret Life of Browser Cookies

The function of a Browser Cookie is to be able to identify and remember things about you as you go along your web sessions. Logically speaking, all cookies are essentially text files that hold vital information about an established session. The World Wide Web in of itself one of the most innovating technologies to date, yet it lives on brittle foundation, littered with specifications to reinforce it.

Cookies are vital to how the WWW works. The attack exposure that cookies produce are poignant to the protections and processes required to ensure its integrity and confidentiality. To understand why, we need to take a look at a cookies life-cycle from when it is established to when it is used and disposed of. It’s also worth to note that the cookie protocol is still been based on RFC 2109 which was created 20 years ago.

Properties of a Cookie

Cookies are scoped to the domain that sent the request for a “Set-Cookie” response. So if I were to send a request from lotuseater.io with HTTP headers of Domain and Path to the backend server I would get a Set-Cookie response for *.lotuseater.io. The cookie is then resent for all the domains that match *.lotuseater.io while pages are requested.