The current specification (October 2011) for cookies is rfc6265
The types of cookies
- Session Cookie
- Persistent Cookie (also known as tracking cookies)
- Secure Cookie
- Http Only Cookie
- Third Party Cookie
- Super Cookie
- Zombie Cookie
Session Cookie
This type only lasts for the duration the user is on the website. To be a session cookie, no 'Expires' directive is provided when it is created.
Persistent Cookie
This type will outlast user sessions and has a max age of 1 year. Each time the site is visited the initial value set in this cookie will be provided. This could contain how the user originally came to the site, which is why it is also known as a tracking cookie.
Secure Cookie
This type has a secure attribute enabled and can only be used through HTTPS, ensuring encryption when it is transmitted between the client and the server.
Http Only Cookie
Supported by most modern browsers, this type is transmitted only when transmitting HTTP/HTTPS requests. With this, the access by client side javascript or other non-html code is mitigated. This does not totally eliminate the risk through XSS.
Third Party Cookie
This type are ones that have the domain set to a different one to the address being visited. Advertisers use this commonly to track a users browsing history.
Super Cookie
This type has a domain set as merely a top-level suffix, such as .com - security settings usually prevent this type.
Zombie Cookie
This type is recreated by other means automatically after the user has deleted it. This could be done through a variety of ways such as local flash storage.
A web browser is generally accepted to be able to store at least 300 cookies of 4Kb each and at least 20 cookies per server or domain.
No comments:
Post a Comment