Exercise 14 – Electronic Payment and Security II
What are the cookies and how they used to improve security?
When a client request of webpage from a web server, the server would send the required HTTP object to the client together with a piece of state information stored in the client computer. A range of valid URL would be stored in the state object. When future request of HTTP object is made by the client with the URL fallen within the valid URL range, the current values of the state object would be transmitted from the client to the server. The state of object is the cookie.
Cookie can be used to improve security. For example, client can store the authentication codes into 2 parts. 1st part of the authentication code could be stored as cookie assessable by the server with the second part of the authentication code not assessable by the server. When login into the server site, the client transmit the 1st part of the code to the server as cookie with the 2nd part of the code provided / entered by the user. With this arrangement, the transmission of the 1st part of the authentication code would be carried out at the back-end with minimum chances of being observed by other closed by the client machine. Therefore the security of accessing the site would be improved.
Can the use of cookies be a security risk?
Yes, the use of cookie can be a security risk. Some server use cookie to store users’ logjn name and passwords in order to save time for logging into the server every time. Under the situation, an eavesdropper armed with a packet sniffer could simply intercept the cookie as it passes from your browser to the server and gaining access to the server site. Therefore, it is not advisable for cookie to contain plaintext of username and passwords.
Reference
Netscape (n.d.). Persistent client state HTTP cookies. Retrieved April 16, 2008 from http://wp.netscape.com/newsref/std/cookie_spec.html.
Stein, L.D. & Stewart, J.N. (2003). Client side security. Retrieved April 16, from http://www.w3.org/Security/Faq/wwwsf2.html.
