4.

User authentication
Main Points:
 User authentication: Overview, Passwords
 Challenge response, Zero knowledge proof,
 Password cracking, Biometrics.

User Authentication
Authentication is the process of verifying the identity of a user. It’s
essential in information security to ensure that only authorized users can
access a system or resource.
Three Types of User Authentication
1. Something You Know:
o Examples: Passwords, PINs, security questions (e.g., mother’s
maiden name, date of birth).
o Example with Alice and Bob:
 Alice wants to access Bob's server. Bob asks her for her
password. If Alice provides the correct password, she's
authenticated.
2. Something You Have:
o Examples: Smartcards, ATM cards, hardware tokens, or devices
that generate one-time passwords.
o Example:
 Alice uses a hardware token provided by Bob's system.
The token generates a one-time password that Alice
enters to log in.
3. Something You Are:
o Examples: Biometric traits like fingerprints, voice recognition,
facial scans, or even gait analysis.
o Example:
 Bob's system authenticates Alice by scanning her
fingerprint before granting her access.
Access Control
Access control is a fundamental concept in information security, designed
to regulate access to resources in a computing environment. It answers
two crucial questions:
1. Authentication: Who are you?
This confirms a user's identity using methods like passwords,
biometrics, or tokens.
2. Authorization: What are you allowed to do?
This ensures that authenticated users can only access resources and
perform actions they are permitted to.
Components of Access Control
1. Authentication
Authentication verifies the identity of a user or system.
 Human to Machine Authentication: Example: Alice logs into Bob's
server by providing her username and password.
  Machine to Machine Authentication: Example: A database
authenticates an application server using API keys.
Methods of Authentication:
 Single-Factor Authentication: A single layer of security (e.g., just a
password).
 Multi-Factor Authentication (MFA): Combines two or more factors
(e.g., password + fingerprint).
 Certificate-Based Authentication: Machines or users are
authenticated using digital certificates.
2. Authorization
Authorization determines the actions or resources a user is allowed to
access after authentication.
Key Principles:
 Principle of Least Privilege (PoLP): Users should only be granted
permissions they need to perform their job and no more.
o Example: Alice, a data analyst, only has read access to financial
records, not write access.
 Separation of Duties (SoD): Responsibilities should be divided among
multiple users to reduce the risk of fraud or error.
o Example: Alice approves a transaction, and Bob processes it.
Access Control Models
Several models are used to implement access control. Here’s a deeper
explanation of each:
1. Discretionary Access Control (DAC)
 Definition: Access is determined by the owner of the resource.
 Example: Alice owns a file on Bob's server and can decide who else
can read, write, or execute it.
 Pros: Flexible and easy to implement.
 Cons: Susceptible to insider threats and accidental
misconfigurations.
2. Mandatory Access Control (MAC)
 Definition: Access is determined by a central authority based on
classifications.
 Example: Bob’s organization implements a system where files are
classified as "Top Secret" or "Confidential." Alice can only access files
for which she has clearance.
 Pros: Highly secure and prevents unauthorized access.
 Cons: Inflexible and harder to manage.
3. Role-Based Access Control (RBAC)
 Definition: Access is assigned based on a user's role in the
organization.
 Example: Alice, as a "Manager," has access to performance reports,
while Bob, as an "Analyst," has access to raw data but not the
reports.
 Pros: Simplifies management as roles are easier to assign than
individual permissions.
 Cons: Roles need to be carefully defined and maintained.
4. Attribute-Based Access Control (ABAC)
 Definition: Access is based on attributes (e.g., user attributes,
resource attributes, environment conditions).
 Example: Alice can access a file if she is in the "Finance" department
and accessing the system from the office network.
 Pros: Highly granular and flexible.
 Cons: Complex to implement and manage.

Challenges in Access Control

1. Complexity of Permissions Management: Large organizations often
struggle to track and manage permissions for hundreds or thousands
of users.
2. Insider Threats: A legitimate user, like Alice, with elevated privileges,
could intentionally or unintentionally misuse access.
3. Dynamic Environments: In cloud environments, where resources and
users frequently change, maintaining secure and efficient access
control is challenging.
Best Practices for Access Control
1. Implement Multi-Factor Authentication (MFA):
o Combine at least two factors of authentication to enhance
security.
2. Regularly Audit Permissions:
o Periodically review and revoke unnecessary permissions to
enforce the principle of least privilege.
3. Use Centralized Access Management:
o Tools like Active Directory, AWS IAM, or Google Workspace allow
centralized control over user permissions.
4. Leverage Logging and Monitoring:
o Continuously log and monitor access to detect unauthorized
actions or anomalies.

Passwords
Passwords are the most common method for "something you know."
However, they come with challenges:
Problems with Passwords
 Humans are bad at creating and remembering secure passwords.
 Weak passwords (e.g., "123456" or "password") are easy to guess.
 Users often reuse passwords across multiple accounts.
Best Practices for Passwords
 Use passphrases or random characters.
 Include a mix of letters, numbers, and symbols (e.g.,
"0nceuP0nAt1m8").
 Require periodic password changes and enforce complexity rules.
Experiment Results
 Passwords based on passphrases are easier to remember and harder
to crack than random passwords.
Password Attacks
Password attacks aim to guess, steal, or recover passwords to gain
unauthorized access. They exploit weaknesses in user behavior, system
design, or cryptographic protections.
Types of Attacks
1. Brute Force Attack
 Definition: Systematically attempts every possible combination of
characters until the correct password is found.
 Characteristics:
o Time-consuming but guaranteed to succeed eventually.
o Computationally expensive, depending on password complexity
and length.
 Example:
o Alice's password is "aBc123". A brute-force attacker tries all
combinations:
 "aaa...", "aab...", ..., "aBc123".
 Challenges for Attackers:
o Long passwords with high entropy (randomness) significantly
increase the time required.
2. Dictionary Attack
 Definition: Uses a precompiled list of commonly used passwords
(e.g., "password123", "qwerty") to match against stored hashes.
 Process:
1. The attacker creates a "dictionary" of possible passwords.
2. Hashes each password in the dictionary using the same
algorithm as the target system.
3. Compares the resulting hashes with those in the password
database.
 Example:
o Alice’s password is "P@ssw0rd". The attacker uses a dictionary
containing "password", "123456", and "P@ssw0rd". Once the
hash matches, the password is cracked.
 Why It’s Effective:
o Many users choose predictable, common passwords, making
this attack faster than brute force.
3. Social Engineering
 Definition: Manipulates human behavior to obtain passwords or
sensitive information.
 Techniques:
o Phishing: Fake emails or websites trick users into entering their
credentials.
 Example: Alice receives an email mimicking Bob’s IT
department asking her to "reset her password" by clicking
a link.
o Pretexting: The attacker pretends to be someone trustworthy
(e.g., IT admin).
  Example: An attacker calls Alice pretending to be Bob's
system admin and asks for her password to "fix an issue."
o Baiting: Offers a lure (e.g., a USB drive labeled "Company
Secrets") to trick users into compromising their systems.
4. Rainbow Table Attack
 Definition: Utilizes precomputed tables of hashes for all possible
passwords.
 Process:
o The attacker compares hashes in the table to those in the
password database.
 Why It’s Dangerous:
o It eliminates the need to compute hashes during the attack,
making it faster than brute force.
 Defense: Salting passwords (see below).
5. Credential Stuffing
 Definition: Reuses stolen credentials from one site to access other
sites where users may have reused passwords.
 Example:
o An attacker obtains Alice’s password from a data breach of a
shopping site and uses it to log into her email or banking
accounts.
6. Keylogging and Spyware
 Definition: Malware records keystrokes or captures screens to steal
credentials.
 Example:
o A keylogger records every key Alice types, capturing her
username and password as she logs in to Bob's server.
7. Shoulder Surfing
 Definition: Observing someone directly to steal credentials.
 Example:
o An attacker watches Alice type her password at a café.
Defense Mechanisms
1. Salting
 Definition: Adds a unique, random value (salt) to each password
before hashing.
 How It Works:
o The password is hashed as y=h(password,salt)y = h(\
text{password}, \text{salt})y=h(password,salt).
o Even if two users have the same password, their hashes differ
because their salts are unique.
 Benefits:
o Prevents precomputed attacks (e.g., rainbow tables).
o Forces attackers to recompute hashes for every salt, increasing
the computational cost.
 Example:
o Without salting:
  Password "Alice123" always hashes to the same value,
h("Alice123")=abc123h(\text{"Alice123"}) =
abc123h("Alice123")=abc123.
o With salting:
 Salt = "xyz".
 h("Alice123","xyz")=def456h(\text{"Alice123"}, \
text{"xyz"}) = def456h("Alice123","xyz")=def456.
 Same password with a different salt yields a different
hash.
2. Iterative Hashing
 Definition: Hashes a password multiple times to slow down attacks.
 Algorithms:
o PBKDF2, bcrypt, Argon2.
 Effect:
o Increases the computational cost for each hash attempt,
slowing down brute force and dictionary attacks.
3. Password Retry Limit
 Definition: Limits the number of incorrect login attempts before
locking the account temporarily or permanently.
 Options:
o Lock for a specific time (e.g., 5 minutes).
o Require administrator intervention to unlock.
 Trade-offs:
o Too short a lockout (e.g., 5 seconds) may still allow slow brute-
force attacks.
o Too long a lockout (e.g., until admin resets) could enable denial-
of-service (DoS) attacks.
4. Multi-Factor Authentication (MFA)
 Definition: Requires multiple factors (e.g., password + phone-based
OTP) to authenticate.
 Example:
o Even if Alice’s password is compromised, the attacker cannot
log in without her smartphone-generated OTP.
5. User Education
 Teach users to:
o Recognize phishing attempts.
o Avoid using predictable passwords.
o Not reuse passwords across sites.
6. Secure Password Storage
 Hash Algorithms:
o Use strong hash algorithms like bcrypt, PBKDF2, or Argon2 to
secure stored passwords.
 Do Not Store Plaintext Passwords:
o Only store the hashed and salted versions.
7. CAPTCHA
 Definition: Prevents automated bots from attempting brute force or
dictionary attacks.
  Example:
o Bob’s login system requires Alice to solve a CAPTCHA after 3
failed login attempts.
Combining Defenses: Layered Security
To mitigate password attacks effectively:
1. Strong Password Policies:
o Enforce minimum length, complexity, and periodic changes.
2. Implement MFA:
o Adds an extra layer of protection beyond passwords.
3. Monitor and Log:
o Continuously monitor login attempts for anomalies (e.g., rapid
retries).
4. Educate Users:
o Make users aware of risks like phishing and credential reuse.
5. Regular Audits:
o Use tools to identify weak passwords or breaches.

Password Generators
Password generators are a type of token-based authentication system.
They are used to dynamically generate secure, temporary passwords that
are valid for a single session or transaction.
How Password Generators Work
1. Challenge-Response Mechanism:
o Bob’s system (server) sends a random challenge RRR (e.g., a
random number or a timestamp) to Alice.
o Alice inputs the challenge RRR along with her PIN (something
she knows) into her password generator device.
o The password generator uses a cryptographic function
h(K,R)h(K, R)h(K,R), where:
 KKK: A secret key shared between Alice’s device and Bob’s
server.
 hhh: A cryptographic hash function or algorithm.
o The device computes the result and displays it to Alice.
2. Response:
o Alice sends the computed result h(K,R)h(K, R)h(K,R) to Bob as
her one-time password (OTP).
3. Verification:
o Bob, who also knows KKK, independently computes h(K,R)h(K,
R)h(K,R) using the same RRR he sent to Alice.
o If Alice's response matches Bob's computation, authentication
is successful.
Key Features of Password Generators
1. One-Time Use:
o The generated password is valid for only one session or
transaction, reducing the risk of replay attacks.
2. Shared Secret Key:
 o Both Alice’s device and Bob’s system share the same secret
key KKK, which is crucial for generating consistent OTPs.
3. Dynamic Challenges:
o The challenge RRR ensures that each generated password is
unique, even if Alice’s PIN remains the same.
Benefits of Password Generators
1. Enhanced Security:
o Dynamic, session-specific passwords are much harder to crack
compared to static passwords.
2. Resistant to Replay Attacks:
o Since the password is valid only for a specific challenge, it
cannot be reused even if intercepted.
3. Reduced Human Error:
o Users don’t have to remember complex, static passwords.

Challenges with Password Generators

1. Device Dependency:
o Alice must have the physical password generator with her. If
lost, she cannot authenticate.
2. Key Management:
o Both Alice and Bob must securely store the shared secret KKK.
If KKK is compromised, the system is vulnerable.
3. Synchronization:
o In time-based systems (e.g., TOTP—Time-based OTP), the clock
of Alice’s device and Bob’s server must stay synchronized.

Two-Factor Authentication (2FA)

2FA enhances security by requiring two different types of authentication
factors. Even if one factor is compromised, the attacker must still bypass
the second.
The Three Types of Authentication Factors
1. Something You Know:
o Information only the user knows.
o Examples: Passwords, PINs, security answers.
2. Something You Have:
o A physical object in the user’s possession.
o Examples: ATM cards, hardware tokens, smartphones with
authentication apps.
3. Something You Are:
o Biometric traits unique to the user.
o Examples: Fingerprints, iris scans, facial recognition.
How 2FA Works
1. Primary Authentication:
o Alice provides the first factor, typically "something she knows,"
such as a password or PIN.
2. Secondary Authentication:
o Alice provides a second factor:
  Something She Has: A one-time password from a hardware
token.
 Something She Is: A biometric scan, such as her
fingerprint.
3. Verification:
o Bob’s system verifies both factors before granting access.
Examples of 2FA
1. ATM Transactions:
o Factor 1: Alice inserts her ATM card (something she has).
o Factor 2: Alice enters her PIN (something she knows).
2. Online Banking:
o Factor 1: Alice logs in with her password (something she
knows).
o Factor 2: Alice enters an OTP sent to her smartphone
(something she has).
3. Smartphone Unlocking:
o Factor 1: Alice scans her fingerprint (something she is).
o Factor 2: Alice enters a PIN (something she knows).
Benefits of 2FA
1. Enhanced Security:
o An attacker must compromise both factors to gain access.
2. Protection Against Common Attacks:
o Password Theft: Even if Alice’s password is stolen, the attacker
cannot access the system without the second factor.
o Phishing: An attacker who tricks Alice into revealing her
password still cannot bypass the second factor.
Challenges of 2FA
1. Usability Issues:
o Users may find it inconvenient to always provide a second
factor.
2. Lost or Unavailable Factors:
o If Alice loses her token or her phone is unavailable, she may be
locked out.
3. Costs:
o Issuing and managing physical tokens or biometric systems can
be expensive.
4. Vulnerabilities in Second Factor:
o SMS-based OTPs can be intercepted via SIM-swapping attacks
or malware.
Password Generators vs. 2FA
Feature Password Generators 2FA
Core Generates dynamic one-time Combines two
Functionality passwords (OTPs). independent factors for
login.
Security Primarily protects against Protects against
Scope replay and brute-force password theft and
attacks. phishing.
Implementati Relies on shared secrets and Can involve biometrics,
on cryptographic hashing. tokens, or software apps.
Complexity Requires synchronization and May involve multiple
secure key management. devices or systems.
Example Use Alice uses an OTP from her Alice logs in with a
hardware token to log in. password and biometric
scan.
Best Practices for Implementing 2FA and Password Generators
1. Use Strong Cryptographic Algorithms:
o Ensure OTPs are generated using secure methods like HMAC or
AES.
2. Implement Backup Mechanisms:
o Allow alternative authentication methods in case the second
factor is unavailable (e.g., recovery codes).
3. Educate Users:
o Train users like Alice to protect physical tokens and recognize
phishing attempts.
4. Choose Modern 2FA Options:
o Use app-based OTPs (e.g., Google Authenticator) instead of
SMS for better security.
5. Regularly Audit and Update:
o Periodically review shared keys, algorithms, and biometric
systems to address vulnerabilities.
Biometrics
Biometrics refers to the use of unique physical or behavioral traits for
identifying or authenticating individuals. These traits are inherently tied
to an individual and difficult to duplicate, making them valuable for
security purposes.
Types of Biometrics:
1. Physical Traits:
o Fingerprints
o Iris or retinal patterns
o Facial features
o Palm prints
2. Behavioral Traits:
o Voice patterns
o Typing rhythm
o Gait (walking style)
Advantages of Biometrics
1. Hard to Replicate:
o Unlike passwords or tokens, physical traits like fingerprints or
iris patterns are extremely difficult to forge or steal.
o Example:
 Alice’s fingerprint cannot be easily duplicated by an
attacker, unlike a stolen password or PIN.
2. Eliminates the Need for Memory:
 o Users don’t need to remember complex passwords or carry
physical tokens.
o Example:
 Alice logs into her phone using facial recognition, avoiding
the hassle of entering a password.
3. Ease of Use:
o Biometric systems are generally user-friendly and convenient.
o Example:
 A thumbprint scanner on a smartphone unlocks the device
instantly.
Challenges of Biometrics
1. Accuracy Issues:
o False Acceptance Rate (FAR): A system incorrectly accepts an
unauthorized individual.
o False Rejection Rate (FRR): A system incorrectly rejects an
authorized individual.
o Trade-off: Systems need to balance FAR and FRR based on their
use case.
2. Physical Changes Over Time:
o Aging, injuries, or medical conditions can alter biometric traits.
o Example:
 Alice’s fingerprint scanner may fail to recognize her after a
burn injury.
3. Irreversible Compromise:
o If biometric data is stolen, it cannot be "changed" like a
password or PIN.
o Example:
 If an attacker obtains Alice’s fingerprint data, she cannot
reset her fingerprint.
4. Environmental Factors:
o Biometric systems may fail due to poor lighting (facial
recognition), dirty sensors (fingerprints), or background noise
(voice recognition).
Characteristics of an Ideal Biometric
An ideal biometric system would have the following characteristics,
though practical implementations face limitations:
1. Universal:
o The trait should apply to almost everyone.
o Reality: No single biometric works universally. For example:
 Fingerprints may not be usable for people with worn or
damaged skin.
 Iris recognition may not be suitable for individuals with
specific medical conditions.
2. Distinguishing:
o The biometric should be unique enough to differentiate
between individuals.
 o Reality: While most traits are unique, identical twins or errors in
measurement can pose challenges.
3. Permanent:
o The trait should remain constant over time.
o Reality: Physical traits can change with aging, injuries, or
environmental factors.
4. Collectable:
o The system should be able to collect the trait easily, reliably,
and non-invasively.
o Reality: Cooperation from the user is required, and some traits
(like retinal scans) may feel intrusive.
5. Other Desirable Features:
o Safe and user-friendly.
o Resistant to spoofing or tampering.

Enrollment vs. Recognition

Enrollment:
 The process of capturing and securely storing a user’s biometric
data for future reference.
 Key Characteristics:
o Must be precise and accurate.
o Often involves multiple attempts to ensure a high-quality
capture.
o Example:
 Alice’s fingerprint is scanned multiple times during
enrollment to build a robust template.
Recognition:
 The process of matching new biometric data with stored templates
to verify or identify a user.
 Key Characteristics:
o Must be fast and efficient for real-time use.
o Should maintain accuracy despite variations (e.g., slight
changes in appearance or environment).
o Example:
 Alice places her finger on a scanner to unlock her phone,
which compares the input to her enrolled fingerprint data.

Identification vs. Authentication

While both involve biometric systems, the goals and methods differ
significantly.
Identification: "Who goes there?"
 Goal: Determine an unknown user’s identity from a large database.
 One-to-Many Comparison:
o The input biometric is compared against all stored records.
 Example:
o Alice’s fingerprint is scanned by the FBI to find a match in their
criminal database.
  Challenges:
o Computationally intensive due to the large number of
comparisons.
o Higher risk of false positives because of random matches in
large datasets.
Authentication: "Are you who you claim to be?"
 Goal: Verify a claimed identity by comparing the input to a specific
stored record.
 One-to-One Comparison:
o The input biometric is compared only to the user’s enrolled
data.
 Example:
o Alice scans her thumb to log into Bob’s system, which checks
her input against her stored template.
 Advantages:
o More efficient and accurate than identification.
 Use Case:
o Most authentication systems, like thumbprint mice or facial
recognition on smartphones, focus on this.
Real-World Applications of Biometrics
1. Smartphones:
o Fingerprint and facial recognition for device unlocking and app
security.
2. Banking:
o Iris and fingerprint scans for ATM access and secure
transactions.
3. Border Control:
o Facial recognition at airports for faster immigration clearance.
4. Healthcare:
o Biometric systems for secure patient identification and record
access.
5. Corporate Security:
o Biometric entry systems for secure areas in office buildings.
Balancing Usability and Security
To implement biometrics effectively, systems must balance user
convenience with robust security:
 FAR vs. FRR Trade-Off:
o Applications requiring high security (e.g., military systems) may
tolerate a higher FRR to reduce FAR.
o Applications prioritizing usability (e.g., smartphones) may
tolerate a slightly higher FAR.
 Multi-Modal Biometrics:
o Combining multiple biometrics (e.g., fingerprint + facial
recognition) increases reliability and security.

Single Sign-On (SSO)

Single Sign-On (SSO) is an authentication method that enables users to
log in once and gain access to multiple related but independent systems
or applications without needing to re-authenticate. It simplifies user
experience and centralizes authentication, improving convenience and
reducing the need to remember multiple credentials.
How SSO Works
1. Centralized Authentication Server:
o The SSO system maintains a centralized server to handle
authentication for all connected applications.
2. User Authentication:
o Alice logs in to the SSO system once, providing her credentials.
3. Session Tokens:
o After successful authentication, the SSO system issues a
session token or ticket to Alice, which serves as proof of her
identity.
4. Access to Integrated Applications:
o Alice uses the token to access other integrated applications.
These applications trust the token and do not require her to re-
authenticate.
Example Protocols
 Kerberos:
o A network authentication protocol using tickets for secure
communication.
o Example: Alice logs in to her corporate network via Kerberos,
and her ticket grants her access to email, file servers, and other
systems.
 Microsoft Passport (now part of Azure AD):
o An SSO service allowing users to authenticate across Microsoft
services and third-party apps.
 Liberty Alliance:
o A framework for federated identity management enabling SSO
across multiple organizations.
Benefits
1. Enhances Convenience
 Users like Alice don’t need to repeatedly log in for each application,
streamlining their experience.
 Example:
o Alice logs into her corporate SSO once and seamlessly accesses
email, HR portals, and cloud storage.
2. Reduces Credential Management
 Users maintain a single set of credentials, reducing the chances of
forgotten passwords or unsafe practices like password reuse.
 Example:
o Bob’s IT team manages one password policy for Alice instead of
separate policies for each application.
3. Centralized Security
  The SSO server enforces security policies such as MFA, password
rotation, and session expiration.
 If Alice’s session token expires, she is logged out of all connected
systems simultaneously.
4. Lower Administrative Overhead
 IT teams spend less time handling password resets and credential
recovery for multiple applications.
Drawbacks
1. Single Point of Failure
 If the SSO system is compromised, attackers gain access to all
integrated systems.
 Example:
o If an attacker steals Alice’s SSO credentials, they can access
her email, cloud storage, and other corporate resources.
2. Complex Implementation
 Integrating multiple applications with SSO protocols requires
significant initial setup and ongoing maintenance.
 Example:
o Bob’s IT team needs to ensure all internal and third-party apps
support the chosen SSO protocol.
3. Limited Access During Downtime
 If the SSO system goes down, users cannot access any integrated
applications.
 Example:
o Alice cannot log in to her HR portal during a network outage
affecting the SSO server.
Mitigation Strategies:
 Implement multi-factor authentication (MFA) for SSO to reduce the
impact of compromised credentials.
 Regularly monitor and audit SSO activity for anomalies.
Real-World Use Cases
1. Corporate Environments:
 Employees log in once to access internal tools (e.g., Slack, Jira,
email).
2. Cloud Platforms:
 Platforms like Google Workspace or Microsoft Azure use SSO to unify
authentication for services like Gmail, Google Drive, and Office 365.
3. E-Commerce:
 Customers log in via SSO using third-party providers like Google or
Facebook to access multiple online stores.

Web Cookies
Web cookies are small text files stored on a user’s device by websites.
They enable websites to "remember" users across sessions, maintaining a
state in the inherently stateless HTTP protocol.
How Web Cookies Work
1. Storing Information:
 o When Alice visits Bob’s website, the server sends a cookie to
her browser with a unique identifier.
2. Session Continuity:
o On subsequent requests, Alice’s browser sends the cookie back
to Bob’s server, allowing the server to recognize her.
3. Authentication Cookies:
o After Alice logs in, Bob’s server creates an authentication
cookie to track her session.
Benefits of Cookies
Session Management:
 Cookies maintain state across multiple page visits or interactions.
 Example:
o Alice adds items to her shopping cart, and cookies ensure her
cart persists as she navigates Bob’s e-commerce site.
Convenience:
 Users don’t need to log in repeatedly during a session.
 Example:
o Alice logs into her online banking app, and cookies keep her
authenticated until she logs out.
Concerns with Cookies
1. Theft or Hijacking
 Cross-Site Scripting (XSS):
o Attackers inject malicious scripts into trusted websites to steal
cookies.
o Example:
 An attacker steals Alice’s authentication cookie via an XSS
vulnerability, gaining unauthorized access to Bob’s
website.
 Mitigation:
o Implement HTTP-only cookies (inaccessible to JavaScript).
o Use secure cookies transmitted over HTTPS.
2. Privacy Concerns
 Cookies can track user behavior across websites for targeted
advertising or analytics.
 Example:
o Alice visits a news website, which sets a third-party tracking
cookie. Advertisers later target her with ads based on her
reading habits.
 Mitigation:
o Use browser settings or extensions to block third-party cookies.
o Provide clear privacy policies to users.
3. Weak Authentication
 Cookies can be stolen or manipulated, allowing attackers to
impersonate users.
 Example:
o An attacker copies Alice’s session cookie to impersonate her on
Bob’s website.
Enhancing Cookie Security
1. Use Secure Flags:
o Ensure cookies are transmitted only over HTTPS by setting the
Secure flag.
2. HTTP-Only Cookies:
o Prevent access to cookies from client-side scripts.
3. Session Expiration:
o Implement time limits for session cookies to reduce the impact
of theft.
4. SameSite Attribute:
o Restricts cookies from being sent with cross-site requests,
mitigating CSRF attacks.