You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*[Data Security For Cookies](#data-security-for-cookies)
27
28
28
29
## Ingredients of a Cookie
29
30
@@ -132,8 +133,38 @@ Ooie-gooie and fresh out of the oven, perfectly golden brown. Here are some attr
132
133
133
134
Ideally the cookie is also cryptographically signed or encrypted, but how that is done is typically up to the implementation.
134
135
136
+
#### Signed Cookies
137
+
138
+
Signed cookies are an alternative to signed URLs. Signed cookies protect access when separately signing tens or hundreds of URLs for each user isn't feasible in your application.
139
+
Signed cookies let you do the following:
140
+
141
+
* Authorize a user and provide them with a time-limited token for accessing your protected content (instead of signing each URL).
142
+
* Scope the user's access to a specific URL prefix, such as https://media.example.com/videos/, and grant the authorized user access to protected content within that URL prefix only.
143
+
* Keep your URLs and media manifests unchanged, simplifying your packaging pipeline and improving cacheability.
144
+
145
+
##### Preventing Misuse of Signed Cookies
146
+
147
+
If you specify the Domain parameter in a Set-Cookie header, specify the most precise value possible to reduce the potential for access by someone with the same root domain name. For example, app.example.com is preferable to example.com, especially when you don't control example.com. This helps prevent someone from accessing your content from www.example.com.
148
+
To help prevent this type of attack, do the following:
149
+
150
+
* Exclude the Expires and Max-Age cookie attributes, so that the Set-Cookie header creates a session cookie. Session cookies are automatically deleted when the user closes the browser, which reduces the possibility of someone getting unauthorized access to your content.
151
+
* When possible, use a custom policy and include the IP address of the viewer.
152
+
* Specify the shortest reasonable expiration time based on how long you want users to have access to your content.
153
+
154
+
#### Encrypted Cookies
155
+
156
+
Encrypting your cookies adds a layer of security since the browser client can not decrypt the data. With this, server side encryption makes cookies only meaningful to the intended back end application, and adds protection so that clients can not sniff the cookies.
157
+
158
+
The encryption you use can be a one-way lookup of the cookie value. It is possible to use the encrypted value as the key to lookup data on the server. This means there is no need to take the cookie value and assume it is valid on the server. The web server can use the encrypted value to confirm what it knows about the client from the session. This one-way look up of encrypted cookie values adds an extra layer of protection.
159
+
135
160
For instance, in the next section the Plug library gives you the ability to perform those actions within the `put_resp_cookie/4` function call. But if you store JSON Web Tokens (JWTs) as the value of your cookie, you can achieve similar signature results through the JWTs themselves.
In the Phoenix Framework, you would use functionality found within the [Plug library](https://hexdocs.pm/plug/Plug.Conn.html#put_resp_cookie/4) to set a cookie.
@@ -159,4 +190,34 @@ conn
159
190
)
160
191
```
161
192
193
+
## Data Privacy For Cookies
194
+
195
+
### Storing personal information
196
+
While cookies by themselves can not dig and research your information, they do store personal information in at least 2 ways: form information and ad tracking.
197
+
198
+
Personal information is not generated by the cookies themselves, but are through user input via website registration pages, payments pages, and other online forms. To ensure proper security measures are in place this information should be encoded through limited interaction via SSL (secure socket layer) certified pages.
199
+
200
+
### Tracking User Behavior
201
+
202
+
For systems that use third party ad serving networks, such as Google's AdSense / AdWord pose additional privacy concerns. When leveraging ad serving platforms there is an impact to user privacy being there is no obvious consent given for such tracking. With the rapid evolution around cookie based ad services and tracking user behavior, it brings up the privacy concern of using default standards for cookies.
203
+
204
+
#### Opt Out Cookies
205
+
Under an opt out scheme, consumers are notified via an alert or window when they load a website. The user must consent to the notice before they can navigate the site and any cookies are planted. At a minimum, the notice is to contain the following: disclosure of information gathering practices, the uses for this information, and policies for processing and disposing of this data.
206
+
207
+
Opt-out cookies are essentially cookies used to avoid cookies. When a website creates an opt-out cookie in your browser folder, it enables you to block that same website from installing future cookies.With this, Opt Out cookies offer safeguards for user information, and help secure systems against potential security concerns regarding “hidden” cookies
208
+
209
+
#### Opt In Cookies
210
+
Opt-in is the process that describes an affirmative action user takes to offer their consent for companies to use their data. Unticked checkboxes or buttons are the most common way in which you can implement opt-in mechanisms to obtain users’ consent.
211
+
212
+
#### Which One To Use?
213
+
If you want to be legally compliant, it is safer to have both the options with opt-out as the default.
0 commit comments