2

Working on a web application, I noticed that some visitors browsers send to the server cookies not received previously from my scripts.

My scripts set only session cookies and only for users logged in, so these visitors guaranteed have no my cookies set in their browser.

I don't have JS on the site. Plain HTML+CSS.

The browsers behaving this way are Chrome and Safari.

How this can happen? What are these cookies?

Should I display a warning message for these visitors that their browser behaves strange?

johnfound
  • 6,857
  • 4
  • 31
  • 60
  • 1
    Posting those cookies may help identifying the origin. – Rei Dec 19 '16 at 09:09
  • Unfortunately, I didn't kept them. I noticed this effect only because my server side engine crashed, because of cookies handling bug. Now the bug is fixed, but I will need to write some kind of trap and then to wait for special kind of visitors in order to get these cookies. – johnfound Dec 19 '16 at 19:51
  • 1
    While you're waiting, log every cookie. But your engine crashed because of cookies? There's something wrong with that. Maybe you should post the code in code review. – Rei Dec 19 '16 at 23:39
  • It is normal for the applications to crash if there is a bug. Isn't it? But, well, I will try to log some cookies, not sure how long I should wait for the right one to be logged. – johnfound Dec 20 '16 at 07:59
  • Now the logging of the bad cookies is active. Some zerg rush on http://board.asm32.info is highly desirable :D – johnfound Dec 20 '16 at 08:57
  • And now the game is patience, and I don't mean solitaire. Let us know. – Rei Dec 20 '16 at 09:13

2 Answers2

3

As a site operator, you can request cookies to be set in the cookie jar of a browser visiting the site. You can choose to make persistence of those cookies across a session mandatory for your site to function (as it sounds like you have done by requiring session cookies are presented back to you to keep a user logged in). However, you do not "own" the cookie jar and you cannot control what other cookies (including both session and persistent cookies) may be presented to you along with the session cookies that you set. In general, your code should look for the cookies you expect and ignore any that you don't expect. It would not be good practice to take any action based on the presence of "extra" cookies that you weren't expecting because they are not under your control.

The user is the one who controls their cookie jar, with the assistance of the browser. They can choose to disable handling of cookies entirely (or use a client that does not support them). If you find that your own session cookies are not coming back when you expect them to be, it would be good in that case to let the user know it is because their client does not seem to support cookies, or to implement a fall-back plan for session management that does not require cookies, but in my opinion no warning message would be appropriate in case "extra" cookies received.

Since the user controls their browser, they can set any cookies they like in their browser by editing the cookie jar manually. If they set a cookie that would apply to your site's domain and path, the client will send those cookies along with the HTTP request to your site.

In addition, if your site shares any part of its domain with other sites, those other sites may set cookies that will be presented to your site as well. For example, if your site was accessible at: http://site1.example.com/ but there was another site accessible at: http://site2.example.com/, the operator of site2 could set cookies with the domain set to example.com in which case they would be presented both to site1 and site2 (and any other subdomain of example.com).

Even if your site is accessible only on a domain you control, there is a possibility that a browser could have "supercookie" prevention disabled (cookies that are set on a top-level domain name such as ".com"). Normally, browsers should disallow those "public suffixes" (see https://www.rfc-editor.org/rfc/rfc6265#section-5.3) but it may be possible to disable that in advanced browser settings.

To avoid potential attacks on your site through cookies from other domains, it is good practice for you to verify that the cookie domain and path match as well as the cookie value itself.

Community
  • 1
  • 1
jrandall
  • 300
  • 1
  • 5
2

There are at least three vectors I can think of that might throw additional cookies onto the requests being made to your server:

  • unintentional scripts running on your pages: an XSS exploit, mischievous ad or CDN serving an altered version of a file runs some JavaScript in the context of your page, setting cookies.
  • weird clients: nothing prevents people from sending arbitrary garbage in their requests to your server and extra cookies could be added easily; are you logging other things about the request headers that might show these requests to be strange? Note that if someone is just messing around with their browser's cookie jar, you won't see any indication of it beyond the altered cookies.
  • weird network or proxy: no HTTPS means someone's request (with the cookie headers) or your server's response (with the set-cookie headers) can be pretty easily modified before it gets to your server; are the requests with the odd cookies coming from a specific IP or IP range?

In short, cookies work through the cooperation of your server and its clients rather than some sort of bulletproof mechanism.

There are different options for what you do when you find one of these cookies and maybe the simplest thing (if they are distractions more than anything else) would be to delete them.

Community
  • 1
  • 1
ellisbben
  • 6,352
  • 26
  • 43