O'Reilly logo

Network Security with OpenSSL by Pravir Chandra, Matt Messier, John Viega

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Secure HTTP Cookies

Let's pull our knowledge of symmetric cryptography and message authentication codes together in a real application, namely setting cookies over HTTP in a user's web browser from a server-side application. Web cookies are implemented by setting a value in the MIME header sent to the client in a server response. If the client accepts the cookie, then it will present the cookie back to the server every time the specified conditions are met.

A single MIME header is a header name followed by a colon, a space, and then the header value. The format of the header value depends on the header name. In this example, we're concerned with only two headers: the Set-Cookie header, which can be sent to the client when presenting a web page, and the Cookie header, which the client presents to the server when the user browses to a site for which a cookie is stored.

Let's consider an example in which we want to keep track of some history of the user's activity on our site, but we don't want the user to look at or modify the data. To do this, we should place a cookie on the user's machine that contains the history information. If this will be done in plaintext, we might send the following MIME header:

Set-Cookie: history=231337+13457;path=/

The path variable specifies the root page in the domain from which the cookie came. The cookie will be sent with a page request only if it is rooted under the specified path. In the above instance, the client will return this cookie to any page ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required