Team LiB
Previous Section Next Section

Hack 52. Stomp on Cookies

Track, trap, configure, kill, create, and otherwise diddle with HTTP cookies.

HTTP is a stateless protocol, meaning that each web request made by the browser is independent of all other requests. This greatly preserves the user's privacy. Cookies are an enhancement to the HTTP standard that introduces tracking information that web browsers and servers can share. That tracking information consists of (usually) a single HTTP header line that goes back and forth between the User Agent (browser) and the server. They include a small amount of access-control information based on URLs and expiry dates. This hack explains how to manipulate cookies from the browser side, once they're generated.

Cookies are based on a vendor specification written by Netscape Corporation (you can view that specification at http://wp.netscape.com/newsref/std/cookie_spec.html). Since then, cookies have been more formally defined in RFC 2109. The name cookie derives from the intended use of the header data: the supply of an opaque token useful only for session identification (from magic cookie).

Particularly in Netscape 4.x and earlier, the number of cookies that browsers would maintain per site was limited to 20. That limit no longer applies, even though one cookie per site is usually enough.

Cookies offer no security at all. Never put any user details in a cookie; never expose any server information in a cookie; never use cookies to preserve important data across HTTP requests. Quality browsers go to great lengths to prevent cookies sent from one web server from being viewed by web pages from other servers.

5.10.1. Using the Cookie Manager

To Open Firefox's Cookie Manager, start with the Options Dialog Box, click Privacy and expand the Cookies item that appears in the right pane. Click on Exceptions to view a blacklist of sites that you don't want to create cookies for you. Alternatively, select View Cookies to manage the currently stored cookies. The Cookie Manager won't let you modify cookies in place; you can only delete them or ban sites from using them.

The options variously reported as "Keep Cookies until I close Firefox" or "Allow for Session" mean the same thing: the cookies will not be written to a file on disk. When they are written, cookies appear in the human-readable file cookies.txt, stored in the user profile.

To delete lots of cookies at once, open the View Cookies dialog box and use Windows-style mouse-selection techniques. Left-click to highlight one cookie, and then Shift-left-click to highlight another cookie that marks the end of a set to be deleted. The resulting block of highlighted cookies can then all be deleted by clicking the Delete button. Similarly, you can select noncontiguous cookies with Control-left-click (Command-left-click on Macintosh).

5.10.2. Using Cookie Extensions

There are at least two extensions available for manipulating cookies.

5.10.2.1 View Cookies extension

To locate the View Cookies extension, open the Extension Manager and go to the end of the All list of extensions. It's also available at http://www.bitstorm.org/extensions/. This extension discreetly adds an additional tab to the ToolsPage Info dialog box that allows you to view details of the current web page. Figure 5-8 shows this tab after it's been selected and after the sole existing cookie has also been clicked.

Figure 5-8. The Cookies tab added by the View Cookies extension


5.10.2.2 Add & Edit Cookies extension

You can find the Add & Edit Cookies extension at http://addneditcookies.mozdev.org/. At the time of writing, it's brand new to Firefox, and where View Cookies is discreetly minimal, Add & Edit Cookies does everything you could ever want. In particular, you can change cookies live while the browser is running, and you're not restricted to changing cookies relevant to the currently displayed web page. You can also filter cookies by site.

Once installed, choose ToolsCookie Editor to start up this extension. The windows can be poorly sized when they first appear; to fix that, just drag the bottom-right corner with the mouse until they're big enough. They'll stay resized while the current profile exists.

Figure 5-9 shows the editing delights that Add & Edit Cookies provides.

Figure 5-9. The main window of the Add & Edit Cookies extension


5.10.3. Scripting Cookies

The oldest interface to the cookie system is via JavaScript. The document.cookie property allows you to set, alter, or remove any cookies local to the current URL or domain. The days are nearly gone where this property needs to be touched:

  • Servers should generally be the source of all cookies if security is to be as robust as possible.

  • Data from the user should be delivered in HTTP GET or POST requests, or by other formal means, such as SOAP or XMLHttpRequest, not in cookies.

  • The cookie property is confusing to use.

This last point bears brief description. In ECMAScript terms, the [[Get]] and [[Put]] operations on the cookie property are both unusual. If you assign anything to the property, the [[Get]] operation treats it as a single cookie and adds it to the cookie database. If you use the property's value in an expression, the [[Put]] operation provides a report (as a string) of all cookies relevant to the current page.

In short, just don't do it. Note that a secure web page or a secure extension has access to all the cookies in the browser. A hostile extension could share that information between conspiring web sites. This is a form of identity trading, although you are guaranteed anonymity at all web sites, provided that you never supply personal details.

    Team LiB
    Previous Section Next Section