Show TOC Anfang des Inhaltsbereichs

Hintergrunddokumentation Cookie Manipulation  Dokument im Navigationsbaum lokalisieren

Description

HTTP is a stateless protocol. In 1994, Netscape invented a mechanism called a “cookie” as a method for session tracking. A cookie is a small piece of information usually created by the Web server and stored in the Web browser. Each time the user contacts the Web server, this data is passed back to the server. The cookie contains information used by Web applications to persist and pass variables back and forth between the browser and the Web application.

There are two types of client-side cookies:

     Persistent cookies:         Which are stored in a file on the client until an expiry date.

     Session cookies:       Which are kept in the memory of the client until the session is ended.

As a result of the cookie structure and their usage, all data stored in a client-side cookie could be easily read and manipulated. The risk of tampering with data and even information disclosure is very high. Due to the fact that many cookies are Base64 encoded, no cryptographic protection is offered. The best practice to avoid cookie manipulation is to be suspicious of data stored in cookies.

Examples

Example Code (Cookies sent by the server, the first one being persistent)

HTTP/1.1 200 OK
...
Set-Cookie: client=a5b35e36-b342-464b-a3a6-8e3718990af9; domain=.sap.com; expires=Wed, 18-Jan-2006 11:38:56 GMT; path=/
Set-Cookie: ASP.NET_SessionId=c12ylm55kp3uirruo4is5sm5; path=/
...

Example Code (Cookie sent by the client):

POST /index.epx HTTP/1.1
...
Cookie: GCUID01=452492715; GCCKVER=5; ASP.NET_SessionId=c12ylm55kp3uir
ruo4is5sm5; client=a5b35e36-b342-464b-a3a6-8e3718990af9

What Do I Get from the SAP NetWeaver Platform?

The ABAP class CL_BSP_SERVER_SIDE_COOKIE provides methods for setting, getting, deleting, and managing cookies on the server. Fur more information, see Class CL_BSP_SERVER_SIDE_COOKIE.

Server-side cookies are persistent data, similar to the usual client-side cookies. While on the client-side there are restrictions that limit the size of cookies, a server-side cookie is stored on the database. And since they are stored on the server, malicious users cannot remotely tamper with server-side cookies.

For technical reasons, each individual cookie can be stored in one of the following ways:

     As a field

     As a structure

     As a table

What Do I Need to Do?

Cookies should be used for the following purpose only:

     To maintain session IDs.

     To persist certain information on the browser.

When dealing with cookies, take the following security considerations into account:

     Store all data in a server-side cookie. Do not store ANY data in a client cookie, unless you absolutely have to. Hackers can easily manipulate client-side cookies.

     Use the session management that the SAP NetWeaver platform provides. Do not create your own.

     Never store any confidential data in a cookie, such as the non-public IP addresses of target servers, host names, or system IDs.

If information of this type is important for control, you should use a hash procedure for one-way encryption of the data.

     Use idle timeouts for applications that expose private data or that may cause identity theft if left open.

     Offer a logout mechanism to the user, to manually shorten the time until a session timeout will end the session automatically.

Using the methods of the ABAP class CL_BSP_SERVER_SIDE_COOKIE to set, get, delete and manage cookies, attention has to be paid to the parameters username and session_id within the appropriate methods. It is ambiguous to pass sy-user to the parameter username for applications started by an anonymous user stored on the server. It would be better to use session_id since runtime->session_id indicates the browser session.

For more information about this issue, see Class CL_BSP_SERVER_SIDE_COOKIE.

How Not to Do It?

Sometimes cookies may contain personal information, if programmers do not follow the advice never to store any confidential data in a cookie. The extent of cookie manipulation ranges from session tokens to arrays that make authorization decisions. Cookie poisoning can even lead to vulnerabilities such as SQL injection and cross-site scripting.

Examples

Example Code 1

Original Cookie

Cookie: lang=en-us; ADMIN=no; y=1; time=10:30GMT;

Cookie Modified by an Attack

Cookie: lang=en-us; ADMIN=yes; y=1; time=12:30GMT;
Example Code 2

Shopping carts used to store pricing information in cookies.

Part of a Shopping Cart Application’s Cookie

item1_ID=12369&item1_pr=27,95&item2_ID=10334&item2_pr=19,95

> Total Amount: $47,90

Manipulated Cookie

item1_ID=12369&item1_pr=0,95&item2_ID=10334&item2_pr=1,95

> Total Amount: $2,90

Further Information

     OWASP Guide Version 2.0.1 (Pages 147 – 160)

Link auf externe Webseite

surfnet.dl.sourceforge.net/sourceforge/owasp/OWASPGuide2.0.1.pdf

     Writing Secure Web Applications (Slides 50 – 51)

Link auf externe Webseite

www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/Writing%20Secure%20Web%20Applications.pdf

 

 

 

Ende des Inhaltsbereichs