Secure cookies are a type of cookie that are transmitted over encrypted HTTP connections. When setting the cookie, the Secure attribute instructs the browser that the cookie should only be returned to the application over encrypted connections. The secure attribute does not protect the cookie in transit from the application to the browser; both Firefox and Internet Explorer allow cookies with the Secure attribute to be set over HTTP.
An HTTP cookie is a small packet of data that is sent from a web server to a user's web browser. Since HTTP is a stateless protocol, it cannot relay information from one page to the other and so there was a need of a cookie. There are two types of cookies:
- Persistent cookies - Cookies that store information in user's browser for a long time.
- Non-persistent cookies - Cookies that generally expire once the browser is closed.
The cookies could contain sensitive information such as passwords and credit card numbers. These are sent over an HTTP connection and are stored in web browsers as plain text, and so can be targeted and be used by attackers to steal the information stored in it. To prevent such information exposure cookies are secured with attributes.
Cookie theft and hijacking
Various cookie hijacking techniques exist. All the methods are not difficult to implement and can do a significant damage to a user or an organization.
Cookies that are sent over unencrypted channels can be subject to eavesdropping, i.e. the contents of the cookie can be read by the attacker.
End system threats
Cookies can be stolen or copied from the user, which could either reveal the information in the cookies or allow the attacker to edit the contents of the cookies and impersonate the users.
The attacker can try to impersonate a website by accepting cookies from the users. Once the attacker gets the cookies, he can use these harvested cookies for websites that accept third-party cookies.
- Session (computer science)
- Information security
- Web beacons
- Bortz, Andrew; Barth, Adam; Czeskis, Alexei. "Origin Cookies: Session Integrity for Web Applications" (PDF). Archived (PDF) from the original on 2018-05-13. Retrieved 2018-05-13.
- Zheng, Xiaofeng; Jiang, Jian; Liang, Jinjin; Duan, Haixin; Chen, Shuo; Wan, Tao; Weaver, Nicholas (2016-08-12). "Cookies Lack Integrity: Real-World Implications" (PDF). Proceedings of the 24th USENIX Security Symposium. ISBN 978-1-931971-232. Archived (PDF) from the original on 2018-05-13. Retrieved 2018-05-13.
- "What is Secure Cookie? - Definition from Techopedia". Archived from the original on 2018-05-13. Retrieved 2018-05-13.