News AI
July 22nd, 2024

Demystifying Cookies and Tokens

Tommi Hovi explores cookies and tokens for theft prevention. Cookies store user data, while tokens like JWT manage information exchange. Understanding these is vital for web security and user experience.

Read original articleLink Icon
Demystifying Cookies and Tokens

Tommi Hovi delves into the world of tokens and cookies to understand and prevent theft. Cookies, small text files created by websites, store user data like preferences and session information. They are essential for HTTP session management, personalization, and tracking. Cookies have attributes like Session ID, Expires, Domain, and HttpOnly to define their behavior. Types of cookies include essential ones like Session cookies and first-party cookies, and non-essential ones like Analytics and customization cookies. On the other hand, tokens like JSON Web Tokens (JWT) are self-contained JSON objects used for information exchange between clients and servers. Tokens carry information about authentication and access rights. Some tokens are stored in cookies for security, especially HttpOnly cookies. The post also touches on protocols like OAuth 2.0 and OpenID Connect (OIDC) used for authorization in web platforms. Understanding cookies and tokens is crucial for enhancing security and user experience on websites.

Related

Httpwtf?

Httpwtf?

HTTP has hidden features like cache directives, trailers for metadata, and 1XX codes. Websockets bypass CORS, X-* headers allow custom extensions. Despite quirks, HTTP is vital for client-server communication.

Link Icon 8 comments
By @yoz - 6 months
I'm hugely grateful for this article: it's the first I've seen that explains JWTs end-to-end with the technical details of how to implement and inspect them on the browser side, including storage.

I haven't needed to understand JWTs in depth, so have never spent the time to do a deep technical dive, but I'd still like to understand how they work. Every time I see a JWT article pass by, I'll jump in and find the general concepts explained but with enough technical gaps that I couldn't understand them in practical terms, especially when compared to my years of previous web-dev experience with cookies.

Also thanks to @unscaled for pointing out PASETO, which aims to fix some of the many problems with JWTs: https://paseto.io/

By @4RealFreedom - 6 months
Third party cookies are not just used for tracking - they are also any cookies set in an iframe. There are legitimate use cases for third party cookies. Chrome recently rolled out partitioned cookies which addresses part of the problem. If you are trying to authenticate via sso to then show content in an iframe, this just doesn't work, though. There is some behind the scenes trickery you might be able to use with reverse proxies but it's painful. I setup some systems using keycloak and nginx to force the iframe and idp on the same domain. You're out of luck if you're using Azure AD or any third party idp, though.
By @unscaled - 6 months
> OAuth uses access tokens, which are typically, but not limited to, JSON Web Tokens

This claim is misguided, but I hear it quite often. JWT is a very popular (and downright terrible[1]) format, but I there is no evidence that most of the tokens use JWT. It could be worse - I've heard some people claiming with confidence that OAuth mandates JWT.

The reality is that OAuth 2.0 predates JWT, and the implicit assumption was that all tokens are stateful. The access tokens in the examples are all short, and the spec strongly recommends revoking access tokens in case of access code reuse.

This makes JWT access tokens a non-canonical implementation of OAuth 2.0. You could add a "jti" claim (or "uti" claim in case of Microsoft) and then check for revocations in Redis, but then your only achievement was bloating up your access tokens by a factor of 20. Congratulations!

That's the reason why the other Big Tech companies are not using JWT for Access Tokens. It just doesn't make sense when you are at the scale where you need access tokens to be small and moderately long-lived. Users of JWT are more heavily concentrated on the smaller scale: more recent startups and enterprise customers.

---

[1] https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...

By @programjames - 6 months
The first thing that pops up is

> We use cookies to ensure that we give you the best experience on our website.

> Accept | Decline

Do "non-essential" cookies actually make my experience any better? I always decline and haven't noticed a difference from the pre-GDPR days.

By @st3fan - 6 months
Do not take this article for granted. There are so many incorrect explanations in it. This is a really bad writeup for a security blog. I really don't know where to start ...