Paywalls were one of the most interesting things about the internet to me. How did the website know how many articles I've viewed? How does a website know how long I've spent on that particular website even though this is this first time I've opened in in a week? Websites store this type of information as cookies. Cookies are a way for a server to send state information to a user, and for the user to return the information back to the server. To store state, a server will include a Set-Cookie header in an HTTP response. When a user returns to a website, the Cookie header that was received from the server previously will be accessed by the server, and the server will be free to interpret what to do with that information freely. Using Chrome's console, going under Application -> Cookies allows the user to delete cookies, which can be used to reset the state of websites.
The mystery of cookies doesn't end there, though. There is another level of encryption that can be done to cookies, and that is known as a session. A signature is created for every session cookie, and attaches that signature to the cookie. This makes it so users cannot tamper with the cookie, if the cookie is messed with, because the tampering will not have the unique signature left from the server, it will ignore any changes to it and just generate a new one.
So, what is a type of signature that can be used? One type of signature is known as a secret_key. A secret_key is used as a security mechanism to authenticate requests or services offered by websites. So, how do servers keep their keys a secret? Here are some steps that could be taken to hide a secret key:
- Use environment variables - secret keys are able to be stored as variables outside of a program. An example of an environment variable is:
export ENV_VARIABLE="Secret!"
In this example, 'ENV_VARIABLE' is an environment variable that has "Secret!" as it's value. Programs can then access "Secret!" by calling for 'ENV_VARIABLE' without explicitly using "Secret!".
- Creating a
.envFile - A.envfile is used to store environment variables. This file is not pushed to a repository to keep it a secret. Secret keys can be stored in this file with this format:
KEY=VALUE
Using
.gitignore- Adding.envto a.gitignorefile is the method to prevent accidently publishing the secret key information anywhere.Access Environment Variables in Code - In Python, you can use the
osmodule to access environment variables. You can do it like this:
import os
secret_key = os.environ.get("SECRET_KEY")
Set Environment Variables in Production - In the version of an application that is uploaded, any reference to a secret key will be instead the environment variable is referencing that key.
Set Environment Variables while Hosting - Most hosting services will provide a way to use environment variables when deploying applications.
Secure the Environment Variable - Only people that are working on the project should have access to the environment variables, to prevent exploitation of your application. If a variable is compromised, you should change it as soon as you can.
Environment Variables are part of the environment that a process is run. They are accessible to any program or process running on the same computer, regardless of programming language or location in the system. They are used to store configuration settings, such as a path to a directory, system preferences, or settings needed by applications. They can be set, changed, or removed any time during the runtime of a system. This allows for them to be changed dynamically without modifying code. In addition to that, environment variables are accessed through APIs provided by programming languages, getenv (C/C++), process.env (Node.js), and os.environ (Python) are used to retrieve their values.
A real life practical environment variable would look like this:
Name: DATABASE_CONFIG
{
"host": "database.example.com",
"port": 5555,
"username": "db_username"
"password": "secret_password"
"database": "appdb"
}
This variable stores important information such as the host address, port, database username, password, and name of the database. Environment variables like this are used in applications where sensitive information needs to be stored but also accessed outside of an application's code. The benefits of using an environment variable like this are security, flexibility, easy management, and portability. When a program needs to, it will access this variable file and extract the necessary information to establish a secure and reliable connection to the database. Cookies, secret keys, and environment variables are some very intricate things and interesting things that make up the foundation of modern internet and computers.
Top comments (0)