Secure cookie

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Secure cookies are a type of cookie that are transmitted over encrypted HTTP connections. When setting the cookie, the Secure attribute instructs the browser that the cookie should only be returned to the application over encrypted connections. The secure attribute does not protect the cookie in transit from the application to the browser; both Firefox and Internet Explorer allow cookies with the Secure attribute to be set over HTTP.

To fully protect a cookie, the HttpOnly and SameSite attributes should also be applied to the cookie. The HttpOnly protects the cookie from being accessed by, for instance, JavaScript, while the SameSite attribute only allows the cookie to be sent to the application if the request originated from the same domain.

Background[edit]

An HTTP cookie is a small packet of data[1] that is sent from a web server to a user's web browser. Since HTTP is a stateless protocol, it cannot relay information from one page to the other and so there was a need of a cookie. There are two types of cookies:

The cookies could contain sensitive information such as passwords and credit card numbers. These are sent over an HTTP connection and are stored in web browsers as plain text, and so can be targeted and be used by attackers to steal the information stored in it. To prevent such information exposure cookies are secured with attributes.

Cookie theft and hijacking[edit]

Various cookie hijacking techniques exist.[2] All the methods are not difficult to implement and can do a significant damage to a user or an organization.

Network threats[edit]

Cookies that are sent over unencrypted channels can be subject to eavesdropping, i.e. the contents of the cookie can be read by the attacker.

End system threats[edit]

Cookies can be stolen or copied from the user, which could either reveal the information in the cookies or allow the attacker to edit the contents of the cookies and impersonate the users.

Cookie harvesting[edit]

The attacker can try to impersonate a website by accepting cookies from the users. Once the attacker gets the cookies, he can use these harvested cookies for websites that accept third-party cookies.

See also[edit]

References[edit]

  1. ^ Bortz, Andrew; Barth, Adam; Czeskis, Alexei. "Origin Cookies: Session Integrity for Web Applications" (PDF). Archived (PDF) from the original on 2018-05-13. Retrieved 2018-05-13. 
  2. ^ Zheng, Xiaofeng; Jiang, Jian; Liang, Jinjin; Duan, Haixin; Chen, Shuo; Wan, Tao; Weaver, Nicholas (2016-08-12). "Cookies Lack Integrity: Real-World Implications" (PDF). Proceedings of the 24th USENIX Security Symposium. ISBN 978-1-931971-232. Archived (PDF) from the original on 2018-05-13. Retrieved 2018-05-13. 

External links[edit]