Sunday, November 14, 2010

Cookies are gross

Alpha-geek Jeff Atwood wrote a post yesterday called Breaking the Web's Cookie Jar. It's about MitM + session hijacking attacks on HTTP (ala FireSheep).

Jeff says that instead of us using HTTPS for everything, he'd "rather see a better, more secure identity protocol than ye olde HTTP cookies".

The thing is.. it already exists and has done since 1997 , see:

There is a more fundamental reason to hate cookies and avoid using them in your application:

Cookies are crap because they are used to create shared state over a protocol that is deliberately stateless, and session hijacking is just one example of the problems that causes.

They were a hack designed to overcome the historical limitations of browsers as a client; browsers sucked at managing and presenting their client-side state to users, so cookies were created as a way to offload that responsibility to the server which would maintain the shared state and render that should-be-client-side state into the web pages. This approach to application design is not scalable and is horribly inefficient. You can't cache pages that vary by the client accessing them. This led to applications requiring things like ESI just to stay performant (I'm looking at you, Magento).

Fortunately, with 'HTML5 & co.' browsers are now developing more sophisticated features which are eliminating the need for shared state altogether.

Back to the point then, I suppose.. Auth is, as far as I can tell, relatively well covered by HTTP Digest but for three things:

  1. No control over the login box gives designers a heart attack
  2. There's no way to logout other than closing the browser (which people don't do all that much anymore)
  3. A feasible subset of Digest features should be identified to keep things simple and help interop
Hopefully that will lead to "a better online identity solution than creaky old HTTP cookies" and, in the process, help us to move away from cookies entirely.

p.s: WebID looks interesting, too.


  1. Digest does not solve this problem.

  2. Digest is still sent in plain text unless it's on HTTPS and is, generally, only supported by the web server and not passed on as credentials to an underlying application (i.e. for identifying a particular user vs. identifying that the credentials give you access to a particular folder).

    The only thing encrypted with Digest without HTTPS is the .htaccess file's copy of the password.

  3. n/m I thought you were talking about something else. Digest is still circumvented with MitM attacks, though.

  4. Digest is significantly more secure than cookies or HTTP Basic.