The Way of Cookies John PJ Perry Support Engineer Internet Client Development Microsoft Corporation

1
The Way of CookiesJohn PJ PerrySupport
EngineerInternet Client Development Microsoft
Corporation
2
What We Will Cover

• Cookies
• Headers
• ASP sessions state
• Basic security

3
What We Will Not Cover

• Not spoofing
• Not encryption

4
Cookies

• Why
• What
• How

5
Cookies Why and What
6
Cookie Purpose

• Local persistent storage
• Linked to a single server
• Limited in size and scope

7
Pros

• Data saved between sessions
• Simple implementation native functionality
• Simple array structure
• Limited to your domain

8
Cons

• User controls storage
• Not always active
• Little storage flexibility
• Limited to your domain

9
Proposed Specifications

• Request for Comments (RFC)
• RFC 2109
• RFC 2965
• RFCs available from either
• http//community.roxen.com/developers/idocs/rfc/r
  fc2965.html
• (Note that the URL above should be entered as
  one line it is wrapped here for readability.)
• http//sunsite.dk/RFC/

10
Cookie Syntax

• av-pairs av-pair (" " av-pair)
• av-pair attr "" value
• attr token
• value token quoted string

11
Cookie Limits

• 300 cookies
• 4096 bytes per cookie
• 20 per unique host/domain
• End user can alter these limits

12
Domain

• .microsoft.com allows
• example.microsoft.com
• sample.microsoft.com
• but does not allow
• webcast.example.microsoft.com

13
Where They Come from

• HTTP headers
• Client-Script

14
Set-Cookie header

• Set-cookie SetCookie2" cookies
• Cookies 1cookie
• Cookie NAME "" VALUE("" set-cookie-av)
• Name attr
• Value value
• Set-cookie-av ..
• Portlist 1Portnum
• Portnum 1DIGIT

15
Set-cookie-av

• "comment" "" value
• "domain" " " value
• "max-age" "" value
• "path" "" value
• "secure"
• "version" "" 1DIGIT

16
Expiration

• Expiration based on Unix-Date
• Session versus persistent
• Storage

17
Cookies How
18
From the Server

• IIS
• ASP

19
Setting from the Server

• lt
• Response.cookie("HorseFeathers").Expires
  "January 1, 2002"
• Response.cookie("HorseFeathers") ("Groucho")
  "Julius"
• Response.cookie("HorseFeathers") ("Chico")
  "Leonard"
• Response.cookie("HorseFeathers") ("Harpo")
  "Arthur"
• gt

20
Reading from the Server

• lt
• For each ItemKey in request.cookies
  ("HorseFeathers")
• Response.Write ItemKey "ltbr /gt"
• Response.Write (request.cookies("HorseFeathers")(
  ItemKey) "ltp /gt"
• Next
• gt

21
Caching

• Proxies must obey caching for cookies
• Proxies must not introduce cookies

22
Setting from the Client

• ltSCRIPTgt
• function SetCookie (sName, sValue)
• date new Date ()
• document.cookie sName "" escape (sValue)
  " expires" date.toGMTString()
• lt/SCRIPTgt

23
Reading from the Client

• ltSCRIPTgt
• function GetCookie (sName)
• Var aCookie document.cookie.split (" ")
• For (var i0IltaCookie.lengthI)
• Var aCrumb aCookieI.split("")
• If sName aCrumb0)
• return unescape(aCrumb1)
• Return null
• lt/SCRIPTgt

24
ASP Sessions

• ASP Sessions use cookies for tracking
• Session scope / expiration JP
• Session IDs relate to server storage
• Session IDs may be recycled
• Fixes for frame / instance inconstancies
• Not supported on Web farms

25
Security
26
Domain Matching
27