CSE 154 LECTURE 21: COOKIES

Similar documents
CSE 154 LECTURE 21: COOKIES

Lecture 11 & 12 PHP - III

CSE 154 LECTURE 13: SESSIONS

CSE 154 LECTURE 11: REGULAR EXPRESSIONS

Personalized WEB applications with PHP/databases

Lecture 9 & 10 PHP - II

Lecture 9a: Sessions and Cookies

Lecture 7: Dates/Times & Sessions. CS 383 Web Development II Wednesday, February 14, 2018

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Chapter 9. Managing State Information. Understanding State Information (continued) Understanding State Information 10/29/2011.

How browsers talk to servers. What does this do?

COMP519 Web Programming Lecture 28: PHP (Part 4) Handouts

Database Systems Fundamentals

Computer Networks. HTTP and more. Jianping Pan Spring /20/17 CSC361 1

5/19/2015. Objectives. JavaScript, Sixth Edition. Saving State Information with Query Strings. Understanding State Information

WEB APPLICATION ENGINEERING II

CPET 499/ITC 250 Web Systems. Topics

You can also set the expiration time of the cookie in another way. It may be easier than using seconds.

Chapter 7:- PHP. Compiled By:- Sanjay Patel Assistant Professor, SVBIT.

How to clear a web browsers cache, cookies and history last updated on 8/28/2013

Information Security CS 526 Topic 11

Managing State. Chapter 13

University of Washington, CSE 154 Homework Assignment 7: To-Do List

Introduction. Server-side Techniques. Introduction. 2 modes in the PHP processor:

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Creating HTML files using Notepad

Web, HTTP and Web Caching

P2_L12 Web Security Page 1

CSE 154 LECTURE 9: SUBMITTING DATA (POST)

PHP CURRICULUM 6 WEEKS

Instructions for Configuring Your Browser Settings and Online Security FAQ s

Instructions For Configuring Your Browser Settings and Online Banking FAQ's

CS144: Sessions. Cookie : CS144: Web Applications

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Web Programming 4) PHP and the Web

Information Security CS 526 Topic 8

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Manual Html A Href Javascript Window Open New Browser

Alpha College of Engineering and Technology. Question Bank

Lesson 4: Web Browsing

PHP: Cookies, Sessions, Databases. CS174. Chris Pollett. Sep 24, 2008.

Cookies, sessions and authentication

HTTP Reading: Section and COS 461: Computer Networks Spring 2013

Unit 4 The Web. Computer Concepts Unit Contents. 4 Web Overview. 4 Section A: Web Basics. 4 Evolution

Server-Side Web Programming: Python (Part 1) Copyright 2017 by Robert M. Dondero, Ph.D. Princeton University

CSCI-1680 WWW Rodrigo Fonseca

PHP. Lab. de Bases de Dados e Aplicações Web MIEIC, FEUP 2010/11. Sérgio Nunes

Manual Html A Href Javascript Window Open In New

FIREFOX MENU REFERENCE This menu reference is available in a prettier format at

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Multimedia im Netz Online Multimedia Winter semester 2015/16. Tutorial 03 Minor Subject

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

1-1. Switching Networks (Fall 2010) EE 586 Communication and. September Lecture 10

CMSC 332 Computer Networking Web and FTP

Analytics, Insights, Cookies, and the Disappearing Privacy

Lecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications

Checklist for Testing of Web Application

Course Syllabus. Course Title. Who should attend? Course Description. PHP ( Level 1 (

Republicbank.com Supported Browsers and Settings (Updated 03/12/13)


PHP + ANGULAR4 CURRICULUM 6 WEEKS

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

3. WWW and HTTP. Fig.3.1 Architecture of WWW

PHP State Maintenance (Cookies, Sessions, Hidden Inputs)

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Cookies and Other Client-Side Storage Techniques. Bok, Jong Soon

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

GET /index.php HTTP/1.1 Host: User- agent: Mozilla/4.0

CITS1231 Web Technologies. PHP s, Cookies and Session Control

Handling Cookies. Agenda

CSCD 303 Essential Computer Security Fall 2018

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Web basics: HTTP cookies

Web Application Security. Philippe Bogaerts

CS105 Perl: Perl CGI. Nathan Clement 24 Feb 2014

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

JOE WIPING OUT CSRF

EEC-682/782 Computer Networks I

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

CS 161 Computer Security

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

You are Unable to Log into MBEF

Persistence & State. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Persistence. SWE 432, Fall 2017 Design and Implementation of Software for the Web

WHY CSRF WORKS. Implicit authentication by Web browsers

B. V. Patel Institute of BMC & IT 2014

If you re serious about Cookie Stuffing, take a look at Cookie Stuffing Script.

PHP INTERVIEW QUESTION-ANSWERS

JOE WIPING OUT CSRF

CSC309: Introduction to Web Programming. Lecture 8

CSCI-1680 WWW Rodrigo Fonseca

Web Architecture Review Sheet

TABLE OF CONTENTS. Select the appropriate link below for the action you wish to perform. Log In. Forgot Password. First Time Registration

COMP519 Practical 5 JavaScript (1)

Web basics: HTTP cookies

Iowa IDEA Supported Browsers and Settings Updated 2/9/2009

CSCD 303 Essential Computer Security Fall 2017

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Internet Explorer 6 and 7 Users

Transcription:

CSE 154 LECTURE 21: COOKIES

Regular expressions in (PDF) regex syntax: strings that begin and end with /, such as "/[AEIOU]+/" function preg_match(regex, string) preg_replace(regex, replacement, string) preg_split(regex, string) description returns TRUE if string matches regex returns a new string with all substrings that match regex replaced by replacement returns an array of strings from given string broken apart using given regex as delimiter (like explode but more powerful)

form validation w/ regexes $state = $_POST["state"]; if (!preg_match("/^[a-z]{2}$/", $state)) { print "Error, invalid state submitted."; } preg_match and regexes help you to validate parameters sites often don't want to give a descriptive error message here (why?)

The die function die("error message text"); 's die function prints a message and then completely stops code execution it is sometimes useful to have your page "die" on invalid input problem: poor user experience (a partial, invalid page is sent back)

The header function header("http header text"); # in general header("location: url"); # for browser redirection 's header function can be used for several common HTTP messages sending back HTTP error codes (404 not found, 403 forbidden, etc.) redirecting from one page to another indicating content types, languages, caching policies, server info,... you can use a Location header to tell the browser to redirect itself to another page useful to redirect if the user makes a validation error must appear before any other HTML output generated by the script

Using header to redirect between pages header("location: url"); $city = $_POST["city"]; $state = $_POST["state"]; $zip = $_POST["zip"]; if (!$city strlen($state)!= 2 strlen($zip)!= 5) { header("location: start-page.php"); # invalid input; redirect } one problem: User is redirected back to original form without any clear error message or understanding of why the redirect occurred.

Including files: include include("filename"); include("header.html"); include("shared-code.php"); inserts the entire contents of the given file into the script's output page encourages modularity useful for defining reused functions needed by multiple pages related: include_once, require, require_once

Including a common HTML file <!DOCTYPE html> <!-- this is top.html --> <html><head><title>this is some common code</title>... HTML include("top.html"); # this file re-uses top.html's HTML content Including a.html file injects that HTML output into your page at that point useful if you have shared regions of pure HTML tags that don't contain any content

Including a common file <?php # this is common.php function useful($x) { return $x * $x; } function top() {?> <!DOCTYPE html> <html><head><title>this is some common code</title>... <?php } include("common.php"); # this file re-uses common.php's code $y = useful(42); # call a shared function top(); # produce HTML output... including a.php file injects that code into your file at that point if the included file contains functions, you can call them

Stateful client/server interaction Sites like amazon.com seem to "know who I am." How do they do this? How does a client uniquely identify itself to a server, and how does the server provide specific content to each client? HTTP is a stateless protocol; it simply allows a browser to request a single document from a web server today we'll learn about pieces of data called cookies used to work around this problem, which are used as the basis of higher-level sessions between clients and servers

What is a cookie? cookie: a small amount of information sent by a server to a browser, and then sent back by the browser on future page requests cookies have many uses: authentication user tracking maintaining user preferences, shopping carts, etc. a cookie's data consists of a single name/value pair, sent in the header of the client's HTTP GET or POST request

How cookies are sent when the browser requests a page, the server may send back a cookie(s) with it if your server has previously sent any cookies to the browser, the browser will send them back on subsequent requests alternate model: clientside JavaScript code can set/get cookies

Myths about cookies Myths: Cookies are like worms/viruses and can erase data from the user's hard disk. Cookies are a form of spyware and can steal your personal information. Cookies generate popups and spam. Cookies are only used for advertising. Facts: Cookies are only data, not program code. Cookies cannot erase or read information from the user's computer. Cookies are usually anonymous (do not contain personal information). Cookies CAN be used to track your viewing habits on a particular site.

A "tracking cookie" an advertising company can put a cookie on your machine when you visit one site, and see it when you visit another site that also uses that advertising company therefore they can tell that the same person (you) visited both sites can be thwarted by telling your browser not to accept "third-party cookies"

Where are the cookies on my computer? IE: HomeDirectory\Cookies e.g. C:\Documents and Settings\jsmith\Cookies each is stored as a.txt file similar to the site's domain name Chrome: C:\Users\username\AppData\Local\Google\Chrome\User Data\Default Firefox: HomeDirectory\.mozilla\firefox\???.default\cookies.txt view cookies in Firefox preferences: Privacy, Show Cookies...

How long does a cookie exist? session cookie : the default type; a temporary cookie that is stored only in the browser's memory when the browser is closed, temporary cookies will be erased can not be used for tracking long-term information safer, because no programs other than the browser can access them persistent cookie : one that is stored in a file on the browser's computer can track long-term information potentially less secure, because users (or programs they run) can open cookie files, see/change the cookie values, etc.

Setting a cookie in setcookie("name", "value"); setcookie("username", allllison"); setcookie("age", 19); setcookie causes your script to send a cookie to the user's browser setcookie must be called before any output statements (HTML blocks, print, or echo) you can set multiple cookies (20-50) per user, each up to 3-4K bytes by default, the cookie expires when browser is closed (a "session cookie")

Retrieving information from a cookie $variable = $_COOKIE["name"]; if (isset($_cookie["username"])) { $username = $_COOKIE["username"]; print("welcome back, $username.\n"); } else { print("never heard of you.\n"); } print("all cookies received:\n"); print_r($_cookie); # retrieve value of the cookie any cookies sent by client are stored in $_COOKIES associative array use isset function to see whether a given cookie name exists

Expiration / persistent cookies setcookie("name", "value", expiration); $expiretime = time() + 60*60*24*7; # 1 week from now setcookie("couponnumber", "389752", $expiretime); setcookie("couponvalue", "100.00", $expiretime); to set a persistent cookie, pass a third parameter for when it should expire indicated as an integer representing a number of seconds, often relative to current timestamp if no expiration passed, cookie is a session cookie; expires when browser is closed time function returns the current time in seconds date function can convert a time in seconds to a readable date

Deleting a cookie setcookie("name", FALSE); setcookie("couponnumber", FALSE); setting the cookie to FALSE erases it you can also set the cookie but with an expiration that is before the present time: setcookie("count", 42, time() - 1); remember that the cookie will also be deleted automatically when it expires, or can be deleted manually by the user by clearing their browser cookies

Clearing cookies in your browser Chrome: Wrench History Clear all browsing data... Firefox: Firefox menu Options Privacy Show Cookies... Remove (All) Cookies

Common cookie bugs When you call setcookie, the cookie will be available in $_COOKIE on the next page load, but not the current one. If you need the value during the current page request, also store it in a variable: setcookie("name", "joe"); print $_COOKIE["name"]; # undefined $name = "joe"; setcookie("name", $name); print $name; # joe setcookie must be called before your code prints any output or HTML content: <!DOCTYPE html><html> <?php setcookie("name", "joe"); # should precede HTML content!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback