[CS] Hashing, Cookie Day-81

Hashing

Converting one value to another value by applying an arbitrary operation.

What is good hasing?

• It should not take long to calculate the hash value.

• Every value must have a unique hash value.

• Even a very small change should have a different hash value.

Hashing process

When a client requests information from the server, Random password is set and requested.

Server receives information from the client and DB, compares the requested data and the randomly set password to see if they are the same, and if password match, the server responds with the information received from the DB to the client.

Encryption (performed when a random password is set.)

Encryption is the process of managing information using an algorithm by transforming. Set of information into another form using a random method so that it cannot be understood except by the person who owns the information.

Salt

Adding some extra value to what needs to be encrypted.

• In case of encryption only, the hashed result is always the same.

• In case of using the Salt algorithm, stronger protection can be achieved by adding an extra value to the existing hash value.

Cookie

One of the ways the Server stores data on the Client.
(If the server wants, the server can use cookies to get data from the client.)

So, cookies don't just mean sending data from server to client, it also includes sending cookies from client to server.

The Server passes the Set-Cookie value to the client, and the client uses the cookie when sending a request to the server based on the received cookie.

Cookie Options

• Domain: Defines the host to which the cookie will be sent. If omitted, this attribute defaults to the host of the current document URL, not including subdomains.

• Path: Indicates the path that must exist in the requested URL for the browser to send the Cookie header. The forward slash (/) character is interpreted as a directory separator, and subdirectories are matched as well.

ex) Path=/docs

/docs
/docs/Web/
/docs/Web/HTTP

will all match.

• MaxAge or Expires: Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately.

If you do not log out in a public place, there is a possibility that someone may steal cookies, so Server can specify automatic destruction after a certain period of time.

• HttpOnly: Determining whether a script can access cookies

• Secure: Indicates that the cookie is sent to the server only when a request is made with the https: scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.

• SameSite: Controls whether or not a cookie is sent with cross-origin requests.

ex) The possible attribute values are:

SameSite: Strict (Cookies cannot be sent)

SameSite: Lax (Only GET method requests can send cookies)

SameSite: None (Cookies can be sent for all method requests, but the Secure option is absolutely necessary for safety.)

SameSite allows you to defend against CSRF attacks.

CSRF?
Cross Site Request Forgery - Manipulating requests from specific addresses on other sites
ex) Money is deducted from my account when I click a link in spam

Conditions for a CSRF attack

• Login using by cookies

• Predictable request path

How to prevent CSRF attacks

• Use CSRF tokens.

• Using SameSite Options

Staying connected with cookies

The Server sends a cookie containing authentication information to the Client, and the Client received cookie along with the request to keep a stateless Internet connection stateful.

Cookies can sustained for a long time, but store sensitive information is risky because cookies can be possibility of lose.