The article "Ensuring website safety" is provided by Sophos Plc and SophosLabs.

December 2007

A major problem when designing a web application is that a new page request is processed without any reference to the previous requests. It's difficult to ask a web application “to remember the user”.

Most browsers support two methods that web application can use to “remember” visitors: regular cookies and session cookies.

  • A cookie is a small text file created by the browser and stored on the user’s computer. Its content is not regulated, but usually such files store the name, expiration date, and some other data, for example: “Count = 100” or “Member = false” .

  • A session cookie is similar the usual one, but it allows aweb applications to store the data in memory.

The difference is that the usual cookie file is saved on the user's computer and stored there until the user deletes it. A session cookie, on the contrary, is stored only while the computer is on and deleted automatically when the user closes the browser. However, they have a common feature: they are subject to manipulation.

Developers often tend to think that the data from cookie files is safe. Everything should be fine because they develop the code themselves. They are mistaken. A hacker can easily change the cookie (and in some cases, the active session data) to make the site provide access to the closed page.

When designing a system, you should never rely on the user data or on the data from cookies. Try to restrict the amount of data stored in cookies, especially when the data aren't meant to be publicly available. The best approach is to consider all the data stored on the user's computer insecure.

In 2007, the site was attacked with the JS/SpaceStalk-A troyan. It stole information from cookie files and passed it to the remote server. Such data can contain confidential information — users' names, addresses of preferred sites and passwords.