Lecture 22: Cookies and Session Management

Intro to Cookies


Why do we need cookies to maintain state across multiple HTTP requests?




Viewing Cookies


What stateful information might the cookies on cnn.com be storing in cookies?





Why do we need to define domain and path scopes for each cookie, instead of sending every cookie in the browser on every request?








Why might we want to let mail.google.com set a cookie for google.com?




Scope for Sending Cookies





If Cookie 1’s path was changed to /user, which of the three domains would it be sent to?




Examples of Setting and Sending Cookies




Modifying Cookies in Browser


See Q3.5-Q3.9 on Homework 6 for some practice on viewing and modifying cookies in your browser.







Bypassing Same-Origin Policy with Cookies


What difference between the same-origin policy and cookie policy causes this vulnerability?

(Fill in the blanks: Same-origin policy thinks that financial.example.com and blog.example.com are controlled by ___ (the same/different) organization(s) because ___, but cookie policy thinks they are controlled by ___ (the same/different) organization(s) because ___.)




Session Management with HTTP Auth




Session Token Analogy




Session Tokens




Storing Session Tokens


When could a man-in-the-middle attacker on the network steal a user’s session token?