COOKIES : Specification, Privacy protection and
preventing Session Hijacking
Manamohan.G
Department of Computer Science
JNN College of Engineering
Shimoga
Abstarct----Nowadays the most frequent thing is
information seeking through any of the websitses. This
paper mainly consolidates on how actually the webpages
or browsers facilitates the requirements of the user, that
is through cookies. Cookies were designed to be a reliable
mechanism for websites to remember stateful information
or to record the user's browsing activity. It also throws
light on the different types of cookies and the main uses
associated with it. The use of cookies to profile individuals
has raised serious security and privacy concerns. Several
countries have enacted privacy protection laws to address
these concerns . These can cause the rigorous glitches to
the system if not handled properly.
Keywords:- Cookies, Privacy, Security, Analysis, Hijacking,
Sessions, One-Time cookies.
I. INTRODUCTION:
A. MEET THE COMPUTER COOKIE:
A computer “cookie” is more formally known as an HTTP
cookie, a web cookie, an Internet cookie or a browser
cookie. The name is a shorter version of “magic cookie,”
which is a term for a packet of data that a computer receives
and then sends back without changing or altering it.
No matter what it’s called, a computer cookie consists of
information. When you visit a website, the website sends
the cookie to your computer. Your computer stores it in a
file located inside your web browser.
B. WHY AND WHAT DO COOKIES DO ?
Surya S
Department of Computer Science
JNN College of Engineering
Shimoga
The purpose of the computer cookie is to help the website
keep track of your visits and activity. This isn’t always a
bad thing. For example, many online retailers use cookies to
keep track of the items in a user’s shopping cart as they
explore the site. Without cookies, your shopping cart would
reset to zero every time you clicked a new link on the site.
That would make it difficult to buy anything online!
A website might also use cookies to keep a record of your
most recent visit or to record your login information. Many
people find this useful so that they can store passwords on
frequently used sites, or simply so they know what they
have visited or downloaded in the past.
Different types of cookies keep track of different activities.
Session cookies are used only when a person is actively
navigating a website; once you leave the site, the session
cookie disappears. Tracking cookies may be used to create
long-term records of multiple visits to the same site.
Authentication cookies track whether a user is logged in,
and if so, under what name.
II. TYPES:
A. SESSION COOKIES:
Also known as a “temporary cookie”, this type of cookie
attaches itself to a user’s computer when they enter and
browse a website. The cookie is then erased when the user
closes the Web browser or exits the site. A session cookie
does not collect information from a user’s computer or
activity while it sits on the system.
-- To Do: Disabling session cookies in your browser can be
difficult. This is due to their “first party” nature, which
means they belong to the website the user is visiting and
subsequently all administrative ability rests with the
administrators of the website.
Also, most well-known sites such as Facebook and Google
are required to have session cookies embedded in their
programming, making it very difficult for users to get
around them.
--To Do: It’s possible to block third-party cookies from your
device. Browsers such as Google Chrome, Firefox, and
Internet Explorer have options in their Settings menu that
allows users to turn off their third-party cookies. Dennis
O’Reilly’s CNET article provides step-by-step instructions
to remove third-party cookies from a select number of
browsers.

B. PERSISTENT COOKIES:

Unlike session cookies, a persistent cookie does not

disappear after a user exits a site. These types of cookies
have a specific expiration date with the cookie continuing to
transmit information to a website’s server every time a user
visits the site until the expiry date comes up.
For this reason, persistent cookies are also known as
“tracking cookies” as marketers can use the information
obtained from the cookies to study user behavior over a
certain period of time.

Persistent cookies are also used to keep users logged into

certain website, thus eliminating the need for them to enter
their log in credentials each time they want to access the
site.
From a security perspective, it’s important to note that users
should not enable the “keep me logged in” function offered
on websites. This is not a safe practice and can be
dangerous if any unwanted third-party were to gain access
to your device.
--To Do: Some websites and web browsers allow users to
disable their cookies. However, this cause problems in the
functionality of the website or browser as information
needed to run the sites such as user IDs and recently saved
searches will not be available if the user has disabled the
cookies that retrieve this information.
In lieu of disabling cookies altogether, a safer option might
be to clear your cache of cookies every once and a while to
free up space on your device and get rid of any unwanted
cookies.
Fig1 : Comparing the percentage of
third-party cookies set by e-Commerce
websites against e-Government websites
III. WEBSITES WITH PRIVACY PROTECTION:
Today’s internet websites are developed with functionalities
that allow website owners to track activities of users visiting
their websites. One of the mechanisms by which websites
perform the tracking functionality is through cookies .
Depending on the type of information involved, these
tracking activities may lead to personal information being
leaked which can result in a breach of users’ privacy
A. SIGNIFICANT PROBLEMS RENDERED BY
WEBSITES:

C. THIRD PARTY COOKIES:
A good example of third-party cookies is through
advertisements or banners for third-party products or
services present on a website. Cookies are also present in
the social media “buttons” commonly found on websites.
When a user encounters an article or a piece of information,
the website will provide the option to share the content
thereby activating the designated social media’s cookies.
A 2015 report also found 76% of adults responding that they
were not confident about the privacy and security of the
records of their activities maintained by the online
advertisers who place adverts on the websites visited by
them. Tracking of users without their consent can be
considered as a violation of their privacy .
Recent examples of the impacts of enforcement of such
regulations involved Google and Facebook. Google was
fined $22.5 million in August 2012 for placing
“DoubleClick Advertising Cookies” on users’ systems scheme that utilizes one way hashing and sparse caching
which was considered a violation of the consent order . Also techniques, but practically it is not impLementable, their
in February 2016, Facebook was found to be tracking non- research focuses only on hashing, but it does not describe
Facebook account holders with cookies by the French data
how a session hijack is being prevented.
protection authority prompting the authority to issue
Facebook an ultimatum of three (3) months to comply with
Not even one of the previously described mechanisms has
the regulation. This urges the need for a more detailed study
about the degree of adherence to privacy protection laws by been widely deployed. Even though many of them prevent
different websites, when setting cookies on users' computer session hijacking, they miss the mark to address the
systems. necessities of highly distributed web appLications,
particuLarly requests statelessness. As a resuLt, most of the
B. SESSION HIJACKING: web appLications have opted for aLways on HTTPS as the
main defense against session hijacking attacks. However,
aLways on HTTPS may be probLematic to depLoy,
A Lot of security issues have been raised due to the use of
particuLarLy in Large web appLications, because they were
cookies as session authentication tokens. Several surveys
not designed for such requirement. ALwaysY on HTTPS
have proved multiple problems with web authentication
not onLy affects the performance but aLso impacts existing
mechanisms, including susceptibility to session hijacking
functionaLity (e.g., virtuaL hosting, appLications and
attacks. As a result, security researchers have suggested
network content filtering ). Therefore, to effectiveLy
changes to improve the robustness of authentication
prevent session hijacking attacks, a more robust, efficient,
cookies. Park et al and Fu et al suggested a mechanism
and practicaL aLternative is needed.
using a cookie that provided improved privacy and integrity
guarantee by using well known as cryptographic techniques.
Moreover, these authors made use of cookie expiration time IV. TRACKING THROUGH THE GLITCHES:
to reduce the impact of session hijacking attacks. On the
other hand, many applications use Long expiration time to
The result of the evaluation also revealed that United
avoid affecting a userГs experience, reducing the Kingdom has the highest number of compliant websites
effectiveness of this approach. As a substitute to cookies for with
the identification and authentication of users, Juels et al about 70% of the websites being compliant with the privacy
proposed the use of cache cookies, which are stored in web protection law. It is recommended that the regulatory
browsers by servers (e.g., browser history and temporary agencies in the least compliant countries should adopt
internet files). Even though resistant to pharming attacks, United Kingdom’s model of driving enforcement with the
relevant laws. It was also observed that apart from being
cache cookies need HTTPS for protection to prevent active
able to classify cookies into firstparty and third-party, it is
attacks. In addition, HTTPS only protect cookies on a practically impossible to know the functions of such cookies
network. An adversary can aLso steal cookies from a userГs except they are explicitly stated. It is recommended that
computer through many different attacks (e.g., cross site website developers should adopt a standard naming
scripting attacks , cross site tracing attacks , and convention that will allow users to easily identify the
domainYreLated attacks . Always on HTTPS is the most functions of the web cookies being set on their computers.
The various web browsers provide users with the settings to
recommended defense against session hijacking. To secure
determine the type of cookies being set.
communication in an Internet session, Lamport proposed
one way hash chain (OHC) technique2a cryptographic
technique that relies on one time passwords. Specifically,
the OHC technique has been utilized in many applications
with the goal of reducing the possibility of session
hijacking. For exampLe, the authors proposed a mechanism
using OTC, a disposable credential, to replace
authentication credentials. To protect a userГs session,
implementing a framework that ties a session to a current
browser by fingerprinting and monitoring an underlying
browser and also detecting browser changes at server side.
The OTC generates a set of tokens that are used only once
and discarded once used. The authors proposed a hybrid
TABLE I. COMPARISON OF PRIVACY OTC through which he/she wiLL be authenticated for every
request he/she makes. Each time a user sends a request, an
PROTECTION LAWS OF SELECTED OTC is sent aLong with the request.
COUNTRIES
ii. RPS:

A proxy server is nothing but a computer that acts as an

intermediary between an endpoint device. It is mainLy used
at a user or cLient side. However, instead of using a proxy
server here at the cLient side, we use RPS at the sever side.
Thus, every request from the user has to pass through RPS.
The function of RPS is to obtain IP address, browser
fingerprint, set OTC, and session ID, and for each incoming
request, RPS wiLL check for IP address, session ID, OTC,
and browser fingerprint. If some of these parameters wouLd
change, then RPS wouLd redirect to another page.

iii. Server:

This is the actuaL server to which a request is sent by a

cLient. The server checks credentiaLs, process aLL cLient
requests, and sends responses to aLL cLients.

However these settings only allow users to opt out based on

cookie domain classification (first-party and third-party
cookies). The developers of web browsers could enhance
the settings to allow users control the type of cookies set
based on the purpose or functionalities of such cookies.
There are several ways that our research could be extended.
An investigation can be done to find out why some e-
government websites set third-party cookies which may be
used for tracking and targeted advertising. Another area is
the evaluation of the compliance of similar technologies
such as device fingerprinting, web beacons and local shared
objects (LSO) to the privacy protection laws. The size of the
dataset of this research could also be increased in order to
improve on the results of our findings.

 PROPOSED SYSTEM FOR

PREVENTING SESSION HIJACKING:

WITH MODIFIED OTC The components of the proposed

system are as foLLows :

i. User:

A user or cLient is the one who initiates a request. Suppose Fig2. BLock diagram of the proposed
a user wants to purchase something, he wiLL send a request system for preventing session hijacking
that contains a userГs username and password to the server.
After successfuL authentication, the user wiLL be given an with modified OtC.
  The Proposed system works as follows
(Fig. 2):
1. User enters his/her credentiaLs.
2. A request is sent to RPS, which coLLects IP
address and browser fingerprints from cLient and
forwards the request to server
.
3. the server checks the credentiaLs, processes the
request, i.e., it fetches the requested page and sends
it to the cLient, but before that, it passes through
RPS.
4. RPS creates OtC, session ID, and gives it to the
cLient, and it aLso forwards the response.
5. User then stores OtC.
6. From now on for every request made by the user,
the user sends OtC to RPS.
7. RPS checks it and again creates OtC for every new
request made by the user.
8. RPS terminates the session if session ID, IP
address, OtC, and browser fingerprint changes.
 Advantages and Disadvantages
Cookies:
Cookies enable you to store the session information on the
client side which has the following advantages,
i. Persistence: One of the most powerful aspects of
cookies is their persistence. When a cookie is set
on the client's browser, it can persist for days,
months or even years. This makes it easy to save
user preferences and visit information and to keep
this information available every time the user
returns to your site. Moreover, as cookies are
stored on the client's hard disk so if the server
crashes they are still available.
ii. Transparent: Cookies work transparently without
the user being aware that information needs to be
stored.
iii. They lighten the load on the server's memory.
Disadvantages of Cookies:
The following are the disadvantages of cookies :
i. Sometimes clients disable cookies on their
browsers in response to security or privacy worries
which will cause problem for web applications that
require them.
ii. Individual cookie can contain a very limited
amount of information (not more than 4 kb).
iii. Cookies are limited to simple string information.
They cannot store complex information.
iv. Cookies are easily accessible and readable if the
user finds and reopens.
v. Most browsers restrict the number of cookies that
can be set by a single domain to not more than20
cookies (except Internet Explorer). If you attempt
to set more than 20 cookies, the oldest cookies are
automatically deleted.
of V. CONCLUSION:
Cookies, even malicious ones, aren't viruses. The plain text
nature of cookies means they cannot be executed on your
computer.
So your antivirus software does little-to-nothing to protect
against malicious cookies. However, there are at least two
things you can do to protect yourself against becoming a
victim of cookie fraud:
 Keep your browser up to date. Many cookie exploits are
designed to take advantage of security holes in outdated
browsers. Most browsers today update automatically, but if
you happen to be using an antiquated browser, stop using it
and update it.
 Avoid questionable sites. If you are ever warned either by
your browser or by a search engine that a site is potentially
malicious, don't proceed to the site. It just isn't worth the
risk.

VI. REFERENCES:

[1] Types of COOKIES

v1.2.http://us.Norton.com,oct,2008.

[2] Neelam M and P Zafsy , “Compliance

Evaluation of Cookies”,IEEE,pp548-556,2015.

[3] V Joseph and Anuradha K,”System for preventing

Session Hijacks”,IEEE,2017.

[4] A. Javed, C. Merz and J. Schwenk, "TTPCookies:

Flexibble Third-Party
Cookie Management for Increasing Online Privacy," IEEE, pp. 37-
44,