8.14. Authenticating with HTTP Cookies
Problem
You are developing a CGI application for the Web and need to store data on the client’s machine using a cookie, but you want to prevent the client from viewing the data or modifying it without your application being able to detect the change.
Solution
Web cookies are implemented by setting a value in the MIME headers sent to the client in a server response. If the client accepts the cookie, it will present the cookie back to the server every time the specified conditions are met. The cookie is stored on the client’s computer, typically in a plaintext file that can be modified with any editor. Many browsers even provide an interface for viewing and editing cookies that have been stored.
A single MIME
header is a header name followed by a colon, a space, and the header
value. The format of the header value depends on the header name.
Here, we’re concerned with only two headers: the
Set-Cookie
header, which can be sent to the client
when presenting a web page, and the
Cookie
header, which the client presents to
the server when the user browses to a site which stores a cookie.
To ensure the integrity of the data that we store on the client’s computer with our cookie, we should encrypt and MAC the data. The server does encoding when setting a cookie, then decrypts and validates whenever the cookie comes back. The server does not share its keys with any other entity—it alone uses them to ensure that the data has not been read or modified since ...
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.