1
00:00:00,360 --> 00:00:04,330
Now, those in this late, we are going to understand all the concepts related to cookies.

2
00:00:04,680 --> 00:00:09,930
So first of all, we are going to Nestande Assassin tracking using cookies so as to deprive the stateless

3
00:00:09,930 --> 00:00:10,240
clan.

4
00:00:10,260 --> 00:00:16,890
So a protocol where a client makes a request and the server responds with the data and the next request

5
00:00:16,890 --> 00:00:22,900
that comes in an entirely new request and unrelated to the previous request.

6
00:00:23,160 --> 00:00:28,480
So the design of a suitable request is so that they are all independent of each other.

7
00:00:29,250 --> 00:00:36,270
You when you when you add an item in your shopping cart while doing only stopping the application needs

8
00:00:36,270 --> 00:00:39,140
a mechanism to tie the item to your account.

9
00:00:39,690 --> 00:00:44,560
Each application may also different ways to identify each session.

10
00:00:45,150 --> 00:00:53,160
So the most widely used mechanism to transition is to a session idy set by the server as soon as user

11
00:00:53,160 --> 00:00:55,880
authenticates with a valid username and password.

12
00:00:56,160 --> 00:01:04,790
A unique random random we can see Sition ID is assigned to the user on every question where the client.

13
00:01:04,920 --> 00:01:12,610
It should include the unique session that would tie the request to the authenticated user and the idea

14
00:01:12,610 --> 00:01:16,230
could be shared using the method or the post method.

15
00:01:16,710 --> 00:01:23,130
When using the Gatemouth, our decision idea would become a part of the order when using the post matter,

16
00:01:23,130 --> 00:01:29,400
the idea see it in the body of data, the method that we have seen in the last lecture, and the server

17
00:01:29,400 --> 00:01:33,520
who maintain a table mapping usernames to the assigns us an idea.

18
00:01:33,990 --> 00:01:40,170
The biggest advantage of assigning a session add is that even though a startup is stateless, the user

19
00:01:40,170 --> 00:01:43,260
is not required to indicate every request.

20
00:01:43,470 --> 00:01:48,910
The browser would present decision it and the server would accept it simply so.

21
00:01:48,930 --> 00:01:50,810
Security has a drawback to.

22
00:01:51,150 --> 00:01:59,280
So anyone who gains access to the station ID could simply impersonate the user without requiring a username

23
00:01:59,280 --> 00:02:00,020
and password.

24
00:02:00,420 --> 00:02:06,570
So also the Trenton decision depends on a degree of randomness used to generate it, which would help

25
00:02:06,570 --> 00:02:08,400
to defeat the brute force attack.

26
00:02:08,820 --> 00:02:12,150
So now let's now understand what is a cookie.

27
00:02:12,660 --> 00:02:21,030
So cookies are actual mechanism using was the it is passed back and forth between the user of the client

28
00:02:21,030 --> 00:02:24,270
and the Web server when using cookie dough.

29
00:02:24,270 --> 00:02:28,380
So assigns a client a unique idea by setting the set cookie feel.

30
00:02:28,680 --> 00:02:31,880
That is why I have thought you said cookie parameter.

31
00:02:32,460 --> 00:02:34,180
So in the ISP request.

32
00:02:35,400 --> 00:02:41,290
So when the client receives the header it will stow's the value of the cookies that this decision idy

33
00:02:41,610 --> 00:02:44,580
within the browser and associated with the website.

34
00:02:44,580 --> 00:02:45,870
You are told to send it.

35
00:02:46,500 --> 00:02:53,340
When a user is simply revisit the original website, the browser will simply send the cookies values

36
00:02:53,340 --> 00:02:55,040
across identifying user.

37
00:02:55,680 --> 00:03:01,860
So besides saving the critical authentication information, Cookie can also be used to set preference

38
00:03:01,860 --> 00:03:04,560
information for the end client such as language.

39
00:03:05,250 --> 00:03:07,440
So the cookie is touring the language.

40
00:03:07,440 --> 00:03:14,100
Preference for the user is then used by the server to display the webpage in the user preferred language

41
00:03:14,310 --> 00:03:15,990
when the user came back.

42
00:03:16,830 --> 00:03:18,930
So then we are having her now.

43
00:03:19,050 --> 00:03:23,940
First of all, let's see how the cookies flow between the server and the client works.

44
00:03:24,810 --> 00:03:31,320
So now as we are having this particular picture, the screen source, the cookies always sit and control

45
00:03:31,320 --> 00:03:37,700
by the server and the web process only responsible for sending it across to SOA, but every request.

46
00:03:38,010 --> 00:03:46,050
So in this particular screenshot, we can see that a get request is made to the server and the application

47
00:03:46,230 --> 00:03:50,460
on the server chooses to set some cookies to identify the user.

48
00:03:51,480 --> 00:03:54,990
And the language selected by the user is previously requested.

49
00:03:55,410 --> 00:04:01,780
So in subsequent requests made by the client and the set cookie becomes the part of the request.

50
00:04:02,370 --> 00:04:08,610
OK, so now let's now understand what is persistent and non persistent cookies.

51
00:04:08,970 --> 00:04:11,700
So here you can see we are having Trilling's.

52
00:04:11,700 --> 00:04:15,120
So let's understand what is persistent and non persistent.

53
00:04:15,300 --> 00:04:17,970
So cookies are divided into two categories.

54
00:04:18,390 --> 00:04:19,500
Persistent cookies.

55
00:04:19,500 --> 00:04:26,940
Are that simply whose doors on the hard drive as a text file says the cookies are stored on the hard

56
00:04:26,940 --> 00:04:27,840
drive it would.

57
00:04:27,840 --> 00:04:29,580
So why progress?

58
00:04:30,210 --> 00:04:36,120
A cookie, as mentioned previously, can be used to pass this to authentication or authorization actually,

59
00:04:36,440 --> 00:04:38,670
or information in the form of stationery.

60
00:04:39,000 --> 00:04:44,780
So if it is stored on a hard drive, you cannot protect it from the modification by a malicious user

61
00:04:45,060 --> 00:04:45,590
attacker.

62
00:04:46,140 --> 00:04:53,190
You can find the cookie stored on the hard drive when using Internet Explorer and as you can see in

63
00:04:53,190 --> 00:04:54,270
this particular location.

64
00:04:54,750 --> 00:04:59,370
Okay, so this is a location where you can find the cookies, which is is total.

65
00:04:59,450 --> 00:05:01,460
Into your heart.

66
00:05:02,150 --> 00:05:06,290
So this is how you can see persistent and nonparticipants, nothing worked.

67
00:05:06,590 --> 00:05:09,290
Well, it is it is not stored on the hard drive.

68
00:05:09,660 --> 00:05:13,020
OK, so now let's understand the cookies parameter.

69
00:05:13,370 --> 00:05:19,580
So as you can see, in addition to name and the value of the cookie, there's several other parameters

70
00:05:19,580 --> 00:05:26,210
set by the browser or web server that defines the reach and availability of the cookies, as you can

71
00:05:26,210 --> 00:05:28,130
see in this particular screenshot.

72
00:05:28,400 --> 00:05:30,880
So here we are having some parameters.

73
00:05:30,920 --> 00:05:32,360
Let's first understand the doing.

74
00:05:32,870 --> 00:05:36,470
OK, so here we are having set cookie inside this.

75
00:05:36,470 --> 00:05:39,400
We are having OK, let me you into color here.

76
00:05:39,410 --> 00:05:44,240
We are having this particular cookie barometer set barometer inside this we have been doing.

77
00:05:45,060 --> 00:05:49,030
OK, so they simply specify the domain to which cookies would be sent.

78
00:05:49,500 --> 00:05:50,950
So then we're having Pat.

79
00:05:51,630 --> 00:05:59,060
So this is the path before the logged on the cookie, the perimeter can be specified if the domain specified

80
00:05:59,060 --> 00:06:05,220
this e-mail dot com and the part is set to the meal and the cookies would only be sent to the beach

81
00:06:05,220 --> 00:06:12,150
inside a.m. dot com mail, which you can see here, e-mail, dot com mail.

82
00:06:12,630 --> 00:06:15,800
OK, so then we are having to be only which is here.

83
00:06:16,470 --> 00:06:23,640
So this is a barometer that is set to mitigate the risk posed by the cross that is crippling attack

84
00:06:23,640 --> 00:06:26,300
us and JavaScript won't be able to access the cookie.

85
00:06:26,820 --> 00:06:32,230
So then as you can see, it should be only expired.

86
00:06:32,640 --> 00:06:36,260
OK, so here we are having expires also.

87
00:06:36,570 --> 00:06:40,440
So this cookie will be stored until the time specified in this parameter.

88
00:06:40,830 --> 00:06:47,700
So this is how secure cookies and persistent, non processed and cookies perimeter's all looks together.

89
00:06:48,030 --> 00:06:49,610
So this is all for this lecture.