Saturday

Identity and Authentication Credentials - Cookies

One of the big issues that every web site encounters is how to authenticate and identify it's users.  In the physical world there are lots of straight forward options for doing this - you might have a security pass at your place of work or you may use a library card to borrow books against your name.  

In these situations it's the physical credential that is important, you are allowed to borrow books based on the possession of a library card.  You can walk passed the security desk because you're wearing a security pass or badge. 

But how does this work in the digital world ?  

Well it's actually very similar but obviously the credentials can't be in a physical form.  The premise is the same - the credentials are presented, if these are authenticated then the owner is allowed access.  Online authentication systems require the same sort of credentials as are used in the real world - i.e they need to possess one of the following requirements:
  • Something you know
  • Something you have
  • Something you are 
  • A combination of the above
These are known as authentication factors and the more a system has then the higher the level of security.  In security terms you'll hear expressions like Two factor authentication - such as an ATM machine.  To get your cash you need a bank card (something you have) and a PIN code(something you know) in order to withdraw cash.

One of the most common authentication credentials used online is of course the cookie.  Most people of course will have heard of these but it's often overlooked the huge power of this particular identity credential.


So what exactly is a cookie ?  Well it's defined in the Hackers Dictionary as a handle, transaction ID, or other token of agreement between cooperating systems. 

It's just like the ticket you are given by the cobbler when you leave your shoes to be mended.  The ticket is only useful for one thing - for you to retrieve your shoes after they've been mended.  It's just like a cookie - a record of a specific visit or transaction.

Online these cookies are exchanged between browsers (like Firefox or IE) and the web servers that people actually visit.  Linking together transactions and people in the digital world just like the ticket for your shoe repairs
.
For example say you visit a website called www.surfing.com for the very first time. The owners of this web site want to see who visits their site so have configured their server to pass a cookie to every person who visits.  The cookie is in the form of a little text file which unique information about your visit.   The browser stores the cookie in a file on your computer - this file will be accessed every time you visit that web site again.

So here's the chain of events - 
  • The server asks my browser to store some information for it.
  • The server supplies the information that is to be stored.
  • The browser stores the information in a text file on the computer (chosen by the browser).
  • The cookie doesn't contain any information about me (only my visit)
  • The cookie is a merely information (it can't be run or access anything on the computer)
  • The cookie is supplied back to the web server every time I revisit the site.
If it sounds quite simple, it's because it is. The primary aim is to identify subsequent visits by the same user over time - something that HTTP can't normally do because it is classed as a stateless protocol.

In practice it's used for remembering who you are, filling in online forms, remembering your password or the selections you made on the last visit.  They are designed to make your visit to the site more rewarding and simpler of course if you'd rather be anonymous most browsers can be configured to not accept them.

They can be configured to do a host of other things though in certain circumstances which I will cover in a separate post.  In general they are quite benign though and the chances are you probably have hundreds of cookies sitting on your computer at this very moment!

0 comments: