Kalpana Kalpana (Editor)

Secure cookies

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

Secure cookies are a type of cookie which is transmitted over encrypted HTTP connection. When setting the cookie, the Secure attribute instructs the browser that the cookie should only be returned to the application over encrypted connections. The secure attribute do not protect the cookie in transit from the application to the browser, both Firefox and Internet Explorer allows cookies with the Secure attribute to be set over HTTP.

Contents

To fully protect a cookie, the HttpOnly and SameSite attribute should also be applied to the cookie. The HttpOnly protects the cookie from being accessed by, for instance, JavaScript, while the SameSite attribute only allows the cookie to be sent to the application if the request originated from the same domain.

Background

HTTP Cookies is a small packet of data which is sent from a web server to a user's web browser. Since HTTP is a stateless protocol it cannot relay information from one page to the other and so there was a need of a cookie. There are basically two types of cookies:

Persistent cookies
Cookies which store information in user's browser for a long time.
Non-persistent cookies
Cookies which generally expire once the browser is closed.

The cookies could contain sensitive information such as passwords, credit card numbers. These are sent over an HTTP connection and are stored in web browsers as plain text, can be targeted and be used by attackers to steal the information stored in it. To prevent such information exposure we secure cookies with attributes.

Various cookie hijacking techniques exist; however, we can categorize them into three general categories: -

Network threats

Cookies which are sent over an unencrypted channel can be subject to eavesdropping, i.e. the contents of the cookie can be read by the attacker.

End system threats

Cookies can be stolen or copied from the user which could either reveal the information in the cookie or the attacker can edit the contents of the cookie and impersonate the users.

Here the attacker will try to impersonate a website by accepting cookies from the users. Once the attacker gets hold of the cookies he can use this harvested cookies for websites which accept them. See third party cookies.

All the above described methods are not difficult to implement and can do a significant damage to a user or an organization.

Java EE 6

In Servlet 6 the session cookies can be protected in the web.xml file. The code is shown below.

Asp.net

In Asp.net it can be done by setting the requireSSL flag to true in the web.config file.

PHP

In PHP the session cookie can be protected in php.ini.

References

Secure cookies Wikipedia
(Text) CC BY-SA


Similar Topics