Cookies are simple text messages, either kept in client machine memory or written as a file on client machine hard storage. The cookie is used to store state information about the client-server transaction, since the protocol (HTTP) is stateless.
While cookies are a real convenience, they can also be a security risk. However, looking beyond the security issues cookies can also be put to work. You can monitor the traffic of Web sites on your Apache server, learn what features are being used on their Web pages (useful for site traffic analysis), and bolster server security by identifying users and tracking their activity.
Configuring Apache for cookie tracking
Before exploiting cookies for these sophisticated features, it’s important to know how to set Apache up for cookie usage in the first place. Apache comes with a module that generates cookies and sends them to clients. This module, mod_usertrack, must be loaded when Apache is configured.
In the configuration file httpd.conf, the code to load the cookie module comes prewritten (but is usually commented out). To enable the code to load the module upon configuration, simply un-comment these lines: Additional configuration is required once you have enabled cookie generation. You must configure the cookie itself and set up its logging. As cookies are logged client by client, it becomes possible to detail-log the client’s site activity. The log file then becomes a security and analysis tool. What kind of cookie? The format of the cookie is also optional. Apache defaults to Netscape cookie style: You can override this default, if you like. However, there are "standards" for cookies out there beyond Netscape’s own format. In fact, Netscape initiated these standards in RFC 2109 and RFC 2965. To override the default, use the following style names: For cookie format RFC 2109, enter the following: And for cookie format RFC 2965, enter this: Cookie duration Alternately, you can enter a time period in quotes: Counting the cookies When you track cookies, you’re tracking activity in a particular domain. Remember that the cookie that resides on the client machine usually includes the relevant domain and path for the server interaction. This is where you enter that domain name, which will then become part of the client-stored cookie. You don’t have to use this, and the default is to have an empty spot in the header of the outbound cookie. If you don’t enter a domain, however, then you won’t be able to specify the domain a client group is accessing. Where will the tracking data go? In the line above, logs/clickstream specifies the logs directory and the clickstream subdirectory, where the cookie log file will reside. Follow the data Next steps
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
LoadModuleusertrack_module modules/mod_usertrack.so
AddModulemod_usertrack.c
The following lines in the httpd.conf file set the cookie format and logging conditions. By default, Apache names its cookie Apache. If you omit a cookie name, this is assumed. However, you can put in the cookie name of your choice, as follows:
CookieName MyCookie
CookieStyle Netscape
CookieStyle Cookie
CookieStyle Cookie2
How long do you want the cookies to be active? This is decided at configuration time, and each cookie header will contain an expiration date based upon this configuration value. Apache will default to a per-session cookie (stored in memory and eliminated upon session termination) if you enter no expiration value. If you enter a numerical value, Apache reads it as number-of-seconds (in this example, an hour):
CookieExpires 3600
CookieExpires "3 days"
Once you’ve enabled cookies and set the name, format and expiration, you’re ready for logging. When cookie tracking is enabled, Apache will generate a cookie upon receiving a new request. To enable tracking in the httpd.conf file, the following line is required:
CookieTracking On
CookieDomain .userdomain.com
You can set up a log file at time of configuration with a line in httpd.conf, as follows:
CustomLog logs/clickstream “{cookie}n %r %t”
Once you’ve generated this log, entries are posted to it with every client request. You can track a great deal with such a log. Here are some possibilities:
You’re probably able to think of other ways in which you might make use of this information, but this is a start. You can know where users are poking around, which users visit casually, see when a user is persistently on a Web site and whether or not the usage patterns reflect normal use, and so on. The log file is easily manipulated; constructing utilities to extract specific information for security or analysis purposes is a simple exercise.
It’s possible to go even further using cookies to enhance your Apache service. For instance, tracking user preferences and applications becomes possible. However, profiling users in this way invokes privacy issues.
©2003 TechRepublic, Inc.
3%
2%
