Cookie is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing.

To remember stateful information:
is logged in?
shopping car
state on filling a long form
browse history(ads)

Principle

Server uses “Set-Cookie” to pass a cookie to Client;
Client uses “Cookie” to pass a cookie back to Server.

Browser sends a HTTP GET request;
Server sends a HTTP GET response with Set-Cookie;
Browser sends the Cookie in following requests.

Session

we sue Cookie to implement Session.

Password

We never want to store Plain password.

Hash function: SHA1(Still not safe); MD5(MD5 is broken ,never use it);

Issues:
Rainbow table attack;
Password Collision.

SHA1 with SALT

1	f(password, salt) = hash(password + salt)

generating a random salt makes the password harder to be broken.

1	hash([provided password] + [stored salt]) == [stored hash]

the user is authenticated.

SHA1 with SALT is not 100%

it just adds extra effort to crack a password;
binary and data should be isolated;
focus more on web related security;
social engineering & phishing can make all protections.(主要攻破途径)

Cookie

Why Cookie?

Principle

Session

Password

SHA1 with SALT

SHA1 with SALT is not 100%