Continuing the topic of data security site users. Today we will address the issue of cookies. So, let's see what cookie security is.
What is a cookie?
A cookie is data (a small fragment) sent by a server that is stored on a user's computer. Accordingly, every time a computer connects to a website, it sends this data in an http request. What is this data that is impartially given to the server from our computer:
- user authentication
- storage of user settings
- user statistics
- and user access sessions.
After reading the first paragraph, it is worth considering. Actual word-leaving authentication is a simple password and username. In fact, it turns out that the browser just provides the most intimate things.
We will not move on to the topic: “How to secure your cookies”, now we’ll talk about what site owners should do to build the right security policy for users.
What is cookie security?
Imagine that we have already acquired an SSL certificate and the connection to our site is via the https protocol. What do we do with cookies? First, let's look at what the creators of the browser did to “secure” our data:
- In total, the browser can store up to 300 cookie values.
- each cookie cannot exceed 4KB
- from one server or domain, up to 20 cookie values can be stored
Not a lot, right? In fact, these cookies are needed by the server for our pleasant use of the browser and Internet resources. Think if you would have to enter a password every time you log in to VK? Yes, of course, there are Web users who do just that, because their browser does not store cookies. And every time you enter the server, the browser transmits new information and does not contain outdated.
In addition, cookies store downloaded data from the site if you have been to it once. When you re-enter the page loads faster.
But there are sites that require by their subject matter to throw off cookies every time they exit a browser or site. For example, these are sites of banks or online payment systems.
How to create cookies?
For example, in php there are INI - session security settings. The same functions as “session.cookie_lifetime = 0“
You can configure auto login and much more, the entire list of these settings can be found in the official php documentation.
Ways to save user data:
- Data encryption. This was provided to us by SSL
- Checking the browser, namely checking the user-agent http-header field
- Duration of the session. You can change or reconfigure in the php.ini and. htaccess
- Binding to IP address. It is usually used only when the number of users is limited and they have static IP addresses.
Unfortunately, it is impossible to completely exclude the possibility of hacking or theft of cookies, but the list of the above recommendations will help protect against low-medium level hackers.