Magic cookie

Last updated March 09, 2023

In computing, a magic cookie, or just cookie for short, is a token or short packet of data passed between communicating programs. The cookie is often used to identify a particular event or as "handle, transaction ID, or other token of agreement between cooperating programs".^[1] The term derives from the fortune cookie, which is a cookie with an embedded message.^[2]

Usage

Cookie data is typically not meaningful to the recipient program. The contents are opaque and not usually interpreted until the recipient passes the cookie data back to the sender or perhaps another program at a later time.^{[ citation needed ]}

In some cases, recipient programs are able to meaningfully compare two cookies for equality.^{[ citation needed ]}

The cookie can be used like a ticket.^{[ citation needed ]}

Early use

The term magic cookie appears in the man page for the fseek routine in the C standard library, dating back at least to 1979, where it was stated:

"ftell returns the current value of the offset relative to the beginning of the file associated with the named stream. It is measured in bytes on UNIX; on some other systems it is a magic cookie, and the only foolproof way to obtain an offset for fseek."^[3]^[4]^[5]

Cookie as token

An analogy is the token supplied at a coat check (cloakroom) counter in real life. The token has no intrinsic meaning, but its uniqueness allows it to be exchanged for the correct coat when returned to the coat check counter. The coat check token is opaque because the way in which the counter staff are able to find the correct coat when the token is presented is immaterial to the person who wishes their coat returned. In other cases (as is possible with HTTP cookies), the actual data of interest can be stored as name–value pairs directly on the cookie.

Cookies are used as identifying tokens in many computer applications. When one visits a website, the remote server may leave an HTTP cookie on one's computer, where they are often used to authenticate identity upon returning to the website.

Cookies are a component of the most common authentication method used by the X Window System.

Related Research Articles

Yacc is a computer program for the Unix operating system developed by Stephen C. Johnson. It is a Look Ahead Left-to-Right Rightmost Derivation (LALR) parser generator, generating a LALR parser based on a formal grammar, written in a notation similar to Backus–Naur Form (BNF). Yacc is supplied as a standard utility on BSD and AT&T Unix. GNU-based Linux distributions include Bison, a forward-compatible Yacc replacement.

Joseph Frank Ossanna, Jr. was an electrical engineer and computer programmer who worked as a member of the technical staff at the Bell Telephone Laboratories in Murray Hill, New Jersey. He became actively engaged in the software design of Multics, a general-purpose operating system used at Bell.

UUCP is an acronym of Unix-to-Unix Copy. The term generally refers to a suite of computer programs and protocols allowing remote execution of commands and transfer of files, email and netnews between computers.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

In computer programming, a magic number is any of the following:

passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.

tr is a command in Unix, Plan 9, Inferno, and Unix-like operating systems. It is an abbreviation of translate or transliterate, indicating its operation of replacing or removing specific characters in its input data set.

<span class="mw-page-title-main">Internet security</span> Branch of computer security

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

In computer science and networking in particular, a session is a time-delimited two-way link, a practical layer in the TCP/IP protocol enabling interactive expression and information exchange between two or more communication devices or ends – be they computers, automated systems, or live active users. A session is established at a certain point in time, and then ‘torn down’ - brought to an end - at some later point. An established communication session may involve more than one message in each direction. A session is typically stateful, meaning that at least one of the communicating parties needs to hold current state information and save information about the session history to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.

A cookie is a baked or cooked good that is small, flat and sweet

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

PPPD is the Point-to-Point Protocol daemon which is used to manage network connections between two nodes on Unix-like operating systems. It is configured using command-line arguments and configuration files.

In the X Window System, programs run as X clients, and as such they connect to the X display server, possibly via a computer network. Since the network may be accessible to other users, a method for forbidding access to programs run by users different from the one who is logged in is necessary.

In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many websites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. After successfully stealing appropriate session cookies an adversary might use the Pass the Cookie technique to perform session hijacking. Cookie hijacking is commonly used against client authentication on the internet. Modern web browsers use cookie protection mechanisms to protect the web from being attacked.

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

Columbus UNIX, or CB UNIX, is a discontinued variant of the UNIX operating system used internally at Bell Labs for administrative databases and transaction processing. It was developed at the Columbus, Ohio branch, based on V6, V7 and PWB Unix. It was little-known outside the company.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) that uses the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript fetch or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

References

↑ Raymond, Eric. "Cookie". The Jargon File. Retrieved 2022-01-04. A handle, transaction ID, or other token of agreement between cooperating programs. "I give him a packet, he gives me back a cookie." The claim check you get from a dry-cleaning shop is a perfect mundane example of a cookie; the only thing it's useful for is to relate a later transaction to this one (so you get the same clothes back).
↑ "Why are internet cookies called cookies?".
↑ UNIX Programmer's Manual, 7th Edition, Vol. 1, FSEEK (3S), Bell Telephone Laboratories, Murray Hill, New Jersey, January 1979.
↑ UNIX Programmer's Manual, Vol. II (Library), FSEEK (3S), 4.2 BSD, 12 Feb 1983.
↑ Bell Telephone Laboratories, Incorporated. "FSEEK(3S)." In UNIX Time-Sharing System: UNIX Programmer’s Manual, Revised and expanded version of 7th Edition, Volume 1, page 263. New York: Holt, Rinehart and Winston, 1983. https://archive.org/details/unixtimesharings0001bell

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Raymond, Eric. "Cookie". The Jargon File. Retrieved 2022-01-04. A handle, transaction ID, or other token of agreement between cooperating programs. "I give him a packet, he gives me back a cookie." The claim check you get from a dry-cleaning shop is a perfect mundane example of a cookie; the only thing it's useful for is to relate a later transaction to this one (so you get the same clothes back).

[2] "Why are internet cookies called cookies?".

[3] UNIX Programmer's Manual, 7th Edition, Vol. 1, FSEEK (3S), Bell Telephone Laboratories, Murray Hill, New Jersey, January 1979.

[4] UNIX Programmer's Manual, Vol. II (Library), FSEEK (3S), 4.2 BSD, 12 Feb 1983.

[5] Bell Telephone Laboratories, Incorporated. "FSEEK(3S)." In UNIX Time-Sharing System: UNIX Programmer’s Manual, Revised and expanded version of 7th Edition, Volume 1, page 263. New York: Holt, Rinehart and Winston, 1983. https://archive.org/details/unixtimesharings0001bell

[1]

[2]

[3]

[4]

[5]