• Post Reply Bookmark Topic Watch Topic
  • New Topic

Using Cookies  RSS feed

 
Mohan Panigrahi
Ranch Hand
Posts: 142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
What is the practical utitlity of setDomain() method in Cookie class. Does it not present a security concern, where I can overwrite cookies stored by servers in other domains.
Thanks
 
Tim Baker
Ranch Hand
Posts: 541
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
no if you try and spoof a domain it will be rejected by the browser. i'm not sure on a practica use of it
 
Marty Hall
Author
Ranch Hand
Posts: 111
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is the practical utility of setDomain() method in Cookie class.

Well, I twice gave servlet and JSP training courses in Australia. Suppose that, before I went, I visited http://australia.sometravelsite.com/. While at the site, I registered, set up frequent flyer numbers, seating preferences, etc. I also set it so that the site would remember me automatically (because of cookies).
Now, I also twice gave servlet and JSP training courses in Japan. Suppose that I therefore went to http://japan.sometravelsite.com/. When I did so, I wouldn't be automatically recognized, since the default behavior of browsers is to return cookies only to the exact same hostname that they got them from. But, assuming that the developers at sometravelsite.com wanted this type of access to work across the subdomains, they could each do theCookie.setDomain(".sometravelsite.com").
Does it not present a security concern, where I can overwrite cookies stored by servers in other domains.

Well, the browser will reject requests to set the domain if the server is not part of that domain. So, for example, a site at oracle.com couldn't setDomain to sybase.com. Also, browsers will disallow ".com" and similar things as the domain. Still, it is possible for japan.sometravelsite.com to arrange it so that a visitor there sends unexpected cookies to australia.sometravelsite.com.
Note, however, that this is nothing to do with servlets and JSP. This is simply how cookies already work. The setDomain method merely sends the standard option that browsers already support.
Cheers-
- Marty
 
Mohan Panigrahi
Ranch Hand
Posts: 142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks a lot Marty! I appreciate your detailed response.
Thanks
 
Maulin Vasavada
Ranch Hand
Posts: 1873
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Mohan
Also notice that we can't retrieve the cookie's domain, path etc except Value via a program- not from JSP, not from Servlet , not even from JavaScript cookie reading....
So, the only code that actually wrote the cookie knows those details about the cookies and hence manipulate further via deleting cookies and all...
This also means that if we want to delete a cookie then we have to know "all" parameters with which it was set and re-add the cookie with expire time in past which will instruct browser to delete the cookie...in essense nobody else can delete a cookie just like that...Nor anynody can read the whole cookie just like that!!
Regards
Maulin
 
Mohan Panigrahi
Ranch Hand
Posts: 142
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Maulin for your respose. Just to seek clarification, what did you mean by knowing all parameters.

This also means that if we want to delete a cookie then we have to know "all" parameters with which it was set

I thought just setMaxAge(0) would suffice to delete a cookie, contained in cookie array returned by the client's browser.

Thanks
[ November 12, 2003: Message edited by: Mohan Panigrahi ]
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!