From 06acc7bc45cb3c532acf15ff8357664315cadf8e Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Sat, 19 Oct 2024 14:14:49 +0100 Subject: [PATCH 01/12] Add intro and lesson overview --- nodeJS/authentication/cookies.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 nodeJS/authentication/cookies.md diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md new file mode 100644 index 00000000000..9af31035adf --- /dev/null +++ b/nodeJS/authentication/cookies.md @@ -0,0 +1,29 @@ +### Introduction + +Before we dive into how to authenticate, let's first have a brief look at cookies, which are really just storage spaces for data that we can send back and forth between a client and a server. + +### Lesson overview + +This section contains a general overview of topics that you will learn in this lesson. + +- Describe what cookies are. +- Describe what you can use cookies for. +- Explain some of the different properties of cookies. + +### Assignment + +
+ +
+ +### Knowledge check + +The following questions are an opportunity to reflect on key topics in this lesson. If you can't answer a question, click on it to review the material, but keep in mind you are not expected to memorize or master this knowledge. + +- [A KNOWLEDGE CHECK QUESTION](A-KNOWLEDGE-CHECK-URL) + +### Additional resources + +This section contains helpful links to related content. It isn't required, so consider it supplemental. + +- It looks like this lesson doesn't have any additional resources yet. Help us expand this section by contributing to our curriculum. From 8c50a11b43a3bb4cec52c0b3e92bea1b9e7fe651 Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Sat, 19 Oct 2024 14:58:46 +0100 Subject: [PATCH 02/12] Add summary section --- nodeJS/authentication/cookies.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index 9af31035adf..936b7b1d5e2 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -10,6 +10,12 @@ This section contains a general overview of topics that you will learn in this l - Describe what you can use cookies for. - Explain some of the different properties of cookies. +### Cookies + +Cookies are just little storage spaces for text. They can be used to store a whole variety of things, including (but not limited to) website choices/preferences, shopping cart info, user statistics, or data that allows you to stay logged in even when you refresh or close the browser. + +A server can create a cookie and send it along with its response to the client, where the client can then set that cookie. The client may then read that cookie to use that data and/or hold that cookie and attach it to any future requests to the server for it to use. + ### Assignment
From ecd81843b162da4b1e0278c42dde89943450eb4a Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Sat, 19 Oct 2024 15:06:01 +0100 Subject: [PATCH 03/12] Add cookie attribute sections and headings --- nodeJS/authentication/cookies.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index 936b7b1d5e2..58da97eada9 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -16,6 +16,18 @@ Cookies are just little storage spaces for text. They can be used to store a who A server can create a cookie and send it along with its response to the client, where the client can then set that cookie. The client may then read that cookie to use that data and/or hold that cookie and attach it to any future requests to the server for it to use. +### Cookie attributes + +When creating cookies, various attributes can be set to customize them, such as preventing them from being accessible via JavaScript in the client, or setting an expiry date etc. There are many such attributes that you can look at in your own time but for now, let's go over some of the most important ones. + +#### Expires/MaxAge + +#### HttpOnly + +#### Secure + +#### SameSite + ### Assignment
From 91c4d3d9f9d2cb8cdb493a6dcddf72ef1f3987c4 Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Sat, 19 Oct 2024 15:40:54 +0100 Subject: [PATCH 04/12] Write expires/httpOnly subsections --- nodeJS/authentication/cookies.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index 58da97eada9..fbdefe2d19b 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -18,12 +18,22 @@ A server can create a cookie and send it along with its response to the client, ### Cookie attributes -When creating cookies, various attributes can be set to customize them, such as preventing them from being accessible via JavaScript in the client, or setting an expiry date etc. There are many such attributes that you can look at in your own time but for now, let's go over some of the most important ones. +When creating cookies, various [cookie attributes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) can be set to customize them, such as preventing them from being accessible via JavaScript in the client, or setting an expiry date etc. There are many such attributes that you can look at in your own time but for now, let's go over some of the most important ones. #### Expires/MaxAge +By default, cookies expire when the client shuts down (whether that's from fully leaving the website or closing the browser). Sometimes, this may be perfectly fine. In other cases, such as a cookie used for keeping you logged in, you want the cookie to stay valid even after leaving or closing the browser. + +Persistent cookies need to be given either an expiry date or a maximum age (if you give both then the maximum age is used and the expiry date is ignored). They will remain valid until expiry, after which they cannot be used. + #### HttpOnly +By default, cookies can be accessed via JavaScript in the browser via `document.cookie`. Again, this may be necessary in some cases but in others, this can be incredibly unsafe. + +Imagine a cookie used to keep you logged in even for when you leave and revisit a website. Now imagine you're the poor victim of a cross-site scripting (XSS) attack. All the attacker needs to do is access `document.cookie` in the malicious script and retrieve the cookie data. Now they can use that cookie data to pose as you and log into your account on their machine, even if they don't know your username or password! + +HttpOnly cookies will still be attached to requests sent with JavaScript on the client (e.g. `fetch()`) and you will still be able to see the cookie details in browser devtools, but they will not be accessible via client-side JavaScript like `document.cookie`, protecting against XSS atacks. + #### Secure #### SameSite From 5660cc908419322c2ca49f7bac77fe22e6d3fa34 Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Sat, 19 Oct 2024 15:51:51 +0100 Subject: [PATCH 05/12] Write secure/sameSite subsections --- nodeJS/authentication/cookies.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index fbdefe2d19b..c574778ad52 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -8,7 +8,7 @@ This section contains a general overview of topics that you will learn in this l - Describe what cookies are. - Describe what you can use cookies for. -- Explain some of the different properties of cookies. +- Explain some of the different attributes of cookies. ### Cookies @@ -18,7 +18,7 @@ A server can create a cookie and send it along with its response to the client, ### Cookie attributes -When creating cookies, various [cookie attributes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) can be set to customize them, such as preventing them from being accessible via JavaScript in the client, or setting an expiry date etc. There are many such attributes that you can look at in your own time but for now, let's go over some of the most important ones. +When creating cookies, various optional [cookie attributes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) can be set to customize them, such as preventing them from being accessible via JavaScript in the client, or setting an expiry date etc. There are many such attributes that you can look at in your own time but for now, let's go over some of the most relevant ones for this curriculum. #### Expires/MaxAge @@ -36,8 +36,12 @@ HttpOnly cookies will still be attached to requests sent with JavaScript on the #### Secure +If set, prevents the cookie from being sent with a request/response if not using HTTPS (localhost, which uses HTTP, is the only exception) which ensures the cookie won't be sent via unencrypted and insecure means. + #### SameSite +Determines whether or not the cookie is sent when dealing with cross-site requests in various contexts. We will not dive into this option too much for now, as we will be using cookies in a same-site context first. Later on when we start building REST APIs and separating our server from the client, this attribute and some others will become more relevant. + ### Assignment
From 9b4b1bd37ea0e998b69a4ef12f3171350d6cb44a Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Sat, 19 Oct 2024 16:38:39 +0100 Subject: [PATCH 06/12] Add assignment and knowledge check questions --- nodeJS/authentication/cookies.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index c574778ad52..a3a2a8dc0ac 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -46,13 +46,19 @@ Determines whether or not the cookie is sent when dealing with cross-site reques
+1. Read [MDN's docs on "Using HTTP cookies"](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) to consolidate your understanding of cookies' use cases and attributes, as well as expand your awareness of cookie security and general practices. We will naturally explore more of these over the coming lessons. +
### Knowledge check The following questions are an opportunity to reflect on key topics in this lesson. If you can't answer a question, click on it to review the material, but keep in mind you are not expected to memorize or master this knowledge. -- [A KNOWLEDGE CHECK QUESTION](A-KNOWLEDGE-CHECK-URL) +- [What are cookies?](#introduction) +- [What are cookies?](#introduction) +- [Why might you need to set an expiry date on a cookie?](#expiresmaxage) +- [How can you prevent cookies from being read via client-side JavaScript, and why might you want to prevent that?](#httponly) +- [What does the "Secure" attribute do to a cookie?](#secure) ### Additional resources From 0393138d2e597bdaa1c0a38221105adb1c77a26b Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Sat, 19 Oct 2024 17:05:08 +0100 Subject: [PATCH 07/12] Add info on cookie regulations/banners --- nodeJS/authentication/cookies.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index a3a2a8dc0ac..87a2b82de38 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -9,6 +9,7 @@ This section contains a general overview of topics that you will learn in this l - Describe what cookies are. - Describe what you can use cookies for. - Explain some of the different attributes of cookies. +- Explain when and why you might need to notify users for consent to use cookies. ### Cookies @@ -42,6 +43,14 @@ If set, prevents the cookie from being sent with a request/response if not using Determines whether or not the cookie is sent when dealing with cross-site requests in various contexts. We will not dive into this option too much for now, as we will be using cookies in a same-site context first. Later on when we start building REST APIs and separating our server from the client, this attribute and some others will become more relevant. +### Regulations and cookie consent + +Depending on where you live, you may have come across cookie consent banners when accessing some sites. There are some regulations, such as the [General Data Protection Regulation (GDPR)](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation), that restrict the use of cookies unless certain conditions are met. Different regulations will affect different countries, such as [EU GDPR covering all European Union countries](https://thoropass.com/blog/compliance/gdpr-countries/). + +The exact requirements depend on the regulations for the region (if any). In the case of EU GDPR for example, restrictions apply only to cookies that are not deemed "strictly necessary" to the website's function. A cookie used solely to keep someone logged into a website is an example of a strictly necessary cookie and so will not require user consent. Cookies used as part of user data collection, such as with Google analytics, are not strictly necessary and so would require user consent alongside clear explanations of what data will be collected and how they'd be used. Such users should also be allowed to withdraw consent and opt out of those cookies. + +In this course, we will only be demonstrating the use of cookies for authentication purposes (strictly neccessary). Nonetheless, it's good to be generally aware of such regulations around cookies should you ever wish to use them for other purposes. + ### Assignment
@@ -59,6 +68,7 @@ The following questions are an opportunity to reflect on key topics in this less - [Why might you need to set an expiry date on a cookie?](#expiresmaxage) - [How can you prevent cookies from being read via client-side JavaScript, and why might you want to prevent that?](#httponly) - [What does the "Secure" attribute do to a cookie?](#secure) +- [Under some regulations, what kinds of cookies would require user consent before they can be used?](#regulations-and-cookie-consent) ### Additional resources From 9d8206c69642a423e49aa6df52a042126d44c2b4 Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Wed, 13 Nov 2024 15:51:39 +0000 Subject: [PATCH 08/12] Streamline verbiage Remove duplicate line --- nodeJS/authentication/cookies.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index 87a2b82de38..c4ac780fdf5 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -49,7 +49,7 @@ Depending on where you live, you may have come across cookie consent banners whe The exact requirements depend on the regulations for the region (if any). In the case of EU GDPR for example, restrictions apply only to cookies that are not deemed "strictly necessary" to the website's function. A cookie used solely to keep someone logged into a website is an example of a strictly necessary cookie and so will not require user consent. Cookies used as part of user data collection, such as with Google analytics, are not strictly necessary and so would require user consent alongside clear explanations of what data will be collected and how they'd be used. Such users should also be allowed to withdraw consent and opt out of those cookies. -In this course, we will only be demonstrating the use of cookies for authentication purposes (strictly neccessary). Nonetheless, it's good to be generally aware of such regulations around cookies should you ever wish to use them for other purposes. +In this course, we will only be demonstrating the use of cookies for authentication purposes ("strictly neccessary"). Nonetheless, it's good to be generally aware of such regulations around cookies should you ever wish to use them for other purposes. ### Assignment @@ -63,10 +63,9 @@ In this course, we will only be demonstrating the use of cookies for authenticat The following questions are an opportunity to reflect on key topics in this lesson. If you can't answer a question, click on it to review the material, but keep in mind you are not expected to memorize or master this knowledge. -- [What are cookies?](#introduction) - [What are cookies?](#introduction) - [Why might you need to set an expiry date on a cookie?](#expiresmaxage) -- [How can you prevent cookies from being read via client-side JavaScript, and why might you want to prevent that?](#httponly) +- [Why might you want to prevent client-side JavaScript from accessing a cookie and how would you implement this?](#httponly) - [What does the "Secure" attribute do to a cookie?](#secure) - [Under some regulations, what kinds of cookies would require user consent before they can be used?](#regulations-and-cookie-consent) From 809e1cb84c3d9bd32d848893740d710a37413e46 Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Wed, 13 Nov 2024 15:54:57 +0000 Subject: [PATCH 09/12] Fix spelling and appease linter --- nodeJS/authentication/cookies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index c4ac780fdf5..015b5fb33a6 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -49,7 +49,7 @@ Depending on where you live, you may have come across cookie consent banners whe The exact requirements depend on the regulations for the region (if any). In the case of EU GDPR for example, restrictions apply only to cookies that are not deemed "strictly necessary" to the website's function. A cookie used solely to keep someone logged into a website is an example of a strictly necessary cookie and so will not require user consent. Cookies used as part of user data collection, such as with Google analytics, are not strictly necessary and so would require user consent alongside clear explanations of what data will be collected and how they'd be used. Such users should also be allowed to withdraw consent and opt out of those cookies. -In this course, we will only be demonstrating the use of cookies for authentication purposes ("strictly neccessary"). Nonetheless, it's good to be generally aware of such regulations around cookies should you ever wish to use them for other purposes. +In this course, we will only be demonstrating the use of cookies for authentication purposes ("strictly necessary"). Nonetheless, it's good to be generally aware of such regulations around cookies should you ever wish to use them for other purposes. ### Assignment @@ -65,7 +65,7 @@ The following questions are an opportunity to reflect on key topics in this less - [What are cookies?](#introduction) - [Why might you need to set an expiry date on a cookie?](#expiresmaxage) -- [Why might you want to prevent client-side JavaScript from accessing a cookie and how would you implement this?](#httponly) +- [Why might you want to prevent client-side JavaScript from accessing a cookie and how would you implement that?](#httponly) - [What does the "Secure" attribute do to a cookie?](#secure) - [Under some regulations, what kinds of cookies would require user consent before they can be used?](#regulations-and-cookie-consent) From 421745e57152273ad71cac7f334214dfbe33e067 Mon Sep 17 00:00:00 2001 From: MaoShizhong <122839503+MaoShizhong@users.noreply.github.com> Date: Sun, 17 Nov 2024 13:59:56 +0000 Subject: [PATCH 10/12] Tweak verbiage Co-authored-by: Asartea <76259120+Asartea@users.noreply.github.com> --- nodeJS/authentication/cookies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index 015b5fb33a6..d57d36ed37d 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -31,7 +31,7 @@ Persistent cookies need to be given either an expiry date or a maximum age (if y By default, cookies can be accessed via JavaScript in the browser via `document.cookie`. Again, this may be necessary in some cases but in others, this can be incredibly unsafe. -Imagine a cookie used to keep you logged in even for when you leave and revisit a website. Now imagine you're the poor victim of a cross-site scripting (XSS) attack. All the attacker needs to do is access `document.cookie` in the malicious script and retrieve the cookie data. Now they can use that cookie data to pose as you and log into your account on their machine, even if they don't know your username or password! +Imagine a cookie is being used to keep you logged in even when you leave and revisit a website. Now imagine you're the poor victim of a cross-site scripting (XSS) attack. All the attacker needs to do is access `document.cookie` in the malicious script and retrieve the cookie data. Now they can use that cookie data to pose as you and log into your account on their machine, even if they don't know your username or password! HttpOnly cookies will still be attached to requests sent with JavaScript on the client (e.g. `fetch()`) and you will still be able to see the cookie details in browser devtools, but they will not be accessible via client-side JavaScript like `document.cookie`, protecting against XSS atacks. From 2376ae5ace866241eede1648d2df03965c80c349 Mon Sep 17 00:00:00 2001 From: mao-sz <122839503+mao-sz@users.noreply.github.com> Date: Sat, 13 Sep 2025 14:46:45 +0100 Subject: [PATCH 11/12] Remove section on SameSite attribute No longer relevant to the course - cross-site stuff later in the curriculum now handled in a way that does not require setting SameSite=None etc. --- nodeJS/authentication/cookies.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index d57d36ed37d..e5aadcbba76 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -39,10 +39,6 @@ HttpOnly cookies will still be attached to requests sent with JavaScript on the If set, prevents the cookie from being sent with a request/response if not using HTTPS (localhost, which uses HTTP, is the only exception) which ensures the cookie won't be sent via unencrypted and insecure means. -#### SameSite - -Determines whether or not the cookie is sent when dealing with cross-site requests in various contexts. We will not dive into this option too much for now, as we will be using cookies in a same-site context first. Later on when we start building REST APIs and separating our server from the client, this attribute and some others will become more relevant. - ### Regulations and cookie consent Depending on where you live, you may have come across cookie consent banners when accessing some sites. There are some regulations, such as the [General Data Protection Regulation (GDPR)](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation), that restrict the use of cookies unless certain conditions are met. Different regulations will affect different countries, such as [EU GDPR covering all European Union countries](https://thoropass.com/blog/compliance/gdpr-countries/). From 0ad79aceec6757cc485e4e91fd05ecec3784c5fa Mon Sep 17 00:00:00 2001 From: mao-sz <122839503+mao-sz@users.noreply.github.com> Date: Mon, 17 Nov 2025 23:30:16 +0000 Subject: [PATCH 12/12] Rephrase LO items to be topic overviews than learning objectives Better matches style guide's intent for the section: https://github.com/TheOdinProject/curriculum/blob/main/LAYOUT_STYLE_GUIDE.md#lesson-layout --- nodeJS/authentication/cookies.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nodeJS/authentication/cookies.md b/nodeJS/authentication/cookies.md index e5aadcbba76..8201ee38797 100644 --- a/nodeJS/authentication/cookies.md +++ b/nodeJS/authentication/cookies.md @@ -6,10 +6,10 @@ Before we dive into how to authenticate, let's first have a brief look at cookie This section contains a general overview of topics that you will learn in this lesson. -- Describe what cookies are. -- Describe what you can use cookies for. -- Explain some of the different attributes of cookies. -- Explain when and why you might need to notify users for consent to use cookies. +- What cookies are. +- Uses for cookies. +- Cookie attributes. +- Cookie consent notifications. ### Cookies