Cookies and Hidden Fields

Previous page
Table of content
Next page

Cookies and Hidden Fields

Even though an application is truly stateful, it needs to pass session identifier information back and forth between the browser and itself. This need arises because, typically, HTTP disconnects TCP after every response. When the user issues another request, the application has to have some way of determining that this user is already in an application session.

There are two ways of passing information back and forth between the browser and the Web server: cookies and hidden fields. Let's consider some advantages and disadvantages of each approach.

Cookies

Cookies rely on the browser for their handling. A browser sends the appropriate cookies to the Web server along with the HTTP request if any cookies have been received from the same server earlier. Popular browsers such as Netscape, Internet Explorer, and Opera handle cookies very well.

The disadvantage of cookies is that many sites use cookies to track user behavior. Sites that display advertising banners have been known to infringe on user privacy by collecting excessive information about the user, simply by tracking user activity via cookies and HTTP referrers. Unfortunately, browsers don't have enough built-in mechanisms to allow and deny certain cookies selectively. For this purpose, programs such as Cookie Pal come to our aid.

Cookies have the advantage over hidden fields in that the latter always require an HTML form in every page for them to be transmitted back to the server. Cookies don't require any HTML forms.

Hidden Fields

Hidden fields within HTML forms can also be used to transmit information back and forth between the browser and the Web server. The advantage that hidden fields have over cookies is that they work even when a browser is set to deny all cookies.

However, both means of passing information back and forth are prone to tampering. Users can change the values of both cookies as well as hidden fields while interacting with a Web application. For this reason, devising tamper-resistant session identifiers and session tracking mechanisms is important.

 


Previous page
Table of content
Next page
Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Stuart McClure, Saumil Shah, Shreeraj Shah
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Certified Ethical Hacker Exam Prep
WebLogic: The Definitive Guide
Building Web Applications with UML (2nd Edition)
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy