Understanding Cookies and Its Attributes


We use HTTP Protocol for requesting web pages from the server but this HTTP Protocol is stateless. It means web pages will be destroyed and recreated with each round trip to the server from the client(browser) and information in the previous page will be lost. Also the server not able to find out whether the requests are coming from the same client or from the different client. Therefore some mechanism is required for the state management. There are several mechanisms such as Cookies, Application State, ViewState, QueryString, Context etc for the state management but here we will discuss the cookies which are a well-known way for the state management.

What is a Cookie?

Cookies are usually small text files, given ID tags that are stored in your computer's browser directory or program data subfolders. Cookies are created when you use your browser to visit a website that uses cookies to keep track of your movements within the site, help you resume where you left off, remember your registered login, preferences, and other customization functions. A cookie's data consists of a single name/value pair, sent in the header of the client's HTTP GET or POST request. 

Examples of Cookies

Cookies are most commonly used to track website activity. When you visit some sites, the server gives you a cookie that acts as your identification card. Upon each return visit to that site, your browser passes that cookie back to the server. In this way, a web server can gather information about which web pages are used the most, and which pages are gathering the most repeat hits.
Cookies are also used for online shopping. Online stores often use cookies that record any personal information you enter, as well as any items in your electronic shopping cart, so that you don't need to re-enter this information each time you visit the site.

Types of Cookies

Session Cookie
Also called a transient cookie, a cookie that is erased when you close the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer. 
Persistent Cookie 
Also called a permanent cookie, or a stored cookie, a cookie that is stored on your hard drive until it expires (persistent cookies are set with expiration dates) or until you delete the cookie. Persistent cookies are used to collect identifying information about the user, such as Web surfing behavior or user preferences for a specific Web site.

What information does a cookie store?

Cookies have mainly below mentioned attributes:
  • The name of the cookie.
  • The value of the cookie.
  • The path the cookie is valid for - this sets the URL path the cookie us valid in. Web pages outside of that path cannot use the cookie.
  • The domain the cookie is valid for. This makes the cookie accessible to pages on any of the servers when a site uses multiple servers in a domain.
  • The expiration date of the cookie - this determines how long the cookie will remain active in your browser.
  • HTTPOnly and Secure Flags-These are cookie flags which are set to prevent them from any attack. Detailed information will be mentioned insecure cookies.

Security of Cookies

As we discussed, the cookie contains session information, so they should not be accessible to the attacker.
We can adopt below-mentioned procedures for cookie attributes to secure our cookies.
  • Secure Attribute - Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel(HTTPS). We can set a secure flag to a cookie so it will be accessible only on the secure tunnel i.e HTTPS and not on the insecure tunnel i.e HTTP.
  • HttpOnly Attribute - HTTPOnly attribute should always be set. This attribute aids in securing the cookie from being accessed by a client side scripts. Noted this attribute is not supported by every browser.
  • Domain Attribute - Verify that the domain has not been set too loosely. For example, if the application resides on server app.myserver.com, then it should be set to “domain=app.myserver.com" and not as “domain=myserver.com" as this would allow other potentially vulnerable servers such as test.myserver.com to receive the cookie.
  • Path Attribute - Verify that the path attribute, just as the Domain attribute, has not been set too loosely. For example, if the application resides at /app/, then verify that the cookies path is set to      "path=/myapp/" and NOT "path=/" as this would allow path such as /attack/ to receive the cookie.
  • Expires Attribute - If this attribute is set to a time in the future verify that the cookie does not contain any sensitive information. For example, if a cookie is set to  “expires=Sun, 31-Mar-2017 13:45:29 GMT" and it is currently Mar 3, 2017, then the tester should inspect the cookie. If the cookie is a session token that is stored on the user's hard drive then an attacker or local user (such as an admin) who has access to this cookie can access the application by resubmitting this token until the expiration date passes.

Authored By - Ayush Garg
TCS Enterprise Security and Risk Management

Rate this article: 
Average: 3.9 (8 votes)
Article category: