Cookies

Cookies¶

Unusual Cookies¶

Source

• Standard HTTP Cookies
• HTTP Strict Transport Security (HSTS) Pinning
• Local Shared Objects (Flash Cookies)
• Storing cookies in RGB values of auto-generated, force-cached
  PNGs using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in Web History
• Storing cookies in HTTP ETags
• Storing cookies in Web cache
• window.name caching
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite
• HTML5 IndexedDB
• Java JNLP PersistenceService
• Java CVE-2013-0422 exploit (applet sandbox escaping)
• Caching in HTTP Authentication
• Using Java to produce a unique key based off of NIC info
• Google Gears

Changes to Cookies¶

Google Chrome

Expires Flag¶

• Uses a finite date to expire a cookie. Ex. Expires=Wed, 21 Oct 2015 07:28:00 GMT
• If this is not set then the cookie expires when the session is closed.
  • If a browser session is restored as part of a option by the browser then the session is never closed.

Max-Age Flag¶

• Used to set an auto expiration client side of the cookie.
• This is done in the number of seconds that it is valid for
• If both Expires and Max-age flags are set Max-age has priority

Domain Flag¶

• If the domain flag is not set then the current full domain not including subdomains is set.
• It is not possible to set more than one host/domain values are not allowed,
• If a domain is manually specified in then all subdomains are included

Path Flag¶

• Specify only a certain directory and subdirectory with this attribute

Secure Flag¶

• http sites cannot set https headers
• only sent if the server is using SSL/TLS

HttpOnly Flag¶

• Restricts JavaScript from accessing the cookie
• This cookie will still be sent with JavaScript-initiated requests

SameSite Flag¶

Same site also includes subdomains.
google.com cookies will work for mail.google.com

HTTP External Endpoint:

HTTPS External Endpoint: