HTTP is a stateless protocol. In 1994, Netscape invented a mechanism called a "cookie" as a method for session tracking. A cookie is a small piece of information usually created by the Web server and stored in the Web browser. Each time the user contacts the Web server, this data is passed back to the server. The cookie contains information used by Web applications to persist and pass variables back and forth between the browser and the Web application.
There are two types of client-side cookies:
As a result of the cookie structure and their usage, all data stored in a client-side cookie could be easily read and manipulated. The risk of tampering with data and even information disclosure is very high. Due to the fact that many cookies are Base64 encoded, no cryptographic protection is offered. The best practice to avoid cookie manipulation is to be suspicious of data stored in cookies.
Example Code (Cookies sent by the server, the first one being persistent)
HTTP/1.1 200 OK ... Set-Cookie: client=a5b35e36-b342-464b-a3a6-8e3718990af9; domain=.sap.com; expires=Wed, 18-Jan-2006 11:38:56 GMT ; path=/ Set-Cookie: ASP.NET_SessionId=c12ylm55kp3uirruo4is5sm5; path=/ ...
Example Code (Cookie sent by the client)
POST /index.epx HTTP/1.1 ... Cookie: GCUID01=452492715; GCCKVER=5; ASP.NET_SessionId=c12ylm55kp3uir ruo4is5sm5; client=a5b35e36-b342-464b-a3a6-8e3718990af9
Session tracking mechanisms within Java development on the SAP NetWeaver platform follow the J2EE standard. There is no additional support from the SAP NetWeaver platform with regard to improving security beyond the general recommendations of the J2EE standard (see next section).
The HttpSession object of the J2EE standard allows you to track sessions with an object residing on the server side. It solves the problem of session tracking when the user has disabled the cookies mechanism in his or her Web browser on the client side.
Example Code (Using HttpSession)
import javax.http.servlet.HttpSession; … HttpSession session = request.getSession(true); ShoppingCart cart = (ShoppingCart)session.getAttribute("shoppingCart"); if (cart==null) { cart = new ShoppingCart(); session.setAttribute("shoppingCart",cart); } …
For more information, see the J2EE Session Tracking API:
java.sun.com/products/servlet/2.2/javadoc/index.html
If information of this type is important for control, you should use a hash procedure for one-way encryption of the data.
Sometimes cookies may contain personal information, if programmers do not follow the advice never to store any confidential data in a cookie. The extent of cookie manipulation ranges from session tokens to arrays that make authorization decisions. Cookie poisoning can even lead to vulnerabilities such as SQL injection and cross-site scripting.
Examples
Example Code 1
Original Cookie:
Cookie: lang=en-us; ADMIN=no; y=1; time=10:30GMT;
Cookie Modified by an Attack
Cookie: lang=en-us; ADMIN=yes; y=1; time=12:30GMT;
Example Code 2
Shopping carts used to store pricing information in cookies.
Part of a Shopping Cart Application's Cookie:
item1_ID=12369&item1_pr=27,95&item2_ID=10334&item2_pr=19,95 > Total Amount: $47,90
Manipulated Cookie
item1_ID=12369&item1_pr=0,95&item2_ID=10334&item2_pr=1,95 > Total Amount: $2,90
surfnet.dl.sourceforge.net/sourceforge/owasp/OWASPGuide2.0.1.pdf
www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/Writing%20Secure%20Web%20Applications.pdf
java.sun.com/products/servlet/2.2/javadoc/index.html