We use HTTP Protocol for requesting web pages from the server but this HTTP Protocol is stateless. It means web pages will be destroyed and recreated with each round trip to the server from the client(browser) and information in the previous page will be lost. Also the server not able to find out whether the requests are coming from the same client or from the different client. Therefore some mechanism is required for the state management. There are several mechanisms such as Cookies, Application State, ViewState, QueryString, Context etc for the state management but here we will discuss the cookies which are a well-known way for the state management.
What is a Cookie?
Examples of Cookies
Cookies are most commonly used to track website activity. When you visit some sites, the server gives you a cookie that acts as your identification card. Upon each return visit to that site, your browser passes that cookie back to the server. In this way, a web server can gather information about which web pages are used the most, and which pages are gathering the most repeat hits.
Types of Cookies
Also called a transient cookie, a cookie that is erased when you close the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer.
Also called a permanent cookie, or a stored cookie, a cookie that is stored on your hard drive until it expires (persistent cookies are set with expiration dates) or until you delete the cookie. Persistent cookies are used to collect identifying information about the user, such as Web surfing behavior or user preferences for a specific Web site.
What information does a cookie store?
Cookies have mainly below mentioned attributes:
- The name of the cookie.
- The value of the cookie.
- The path the cookie is valid for - this sets the URL path the cookie us valid in. Web pages outside of that path cannot use the cookie.
- The domain the cookie is valid for. This makes the cookie accessible to pages on any of the servers when a site uses multiple servers in a domain.
- The expiration date of the cookie - this determines how long the cookie will remain active in your browser.
- HTTPOnly and Secure Flags-These are cookie flags which are set to prevent them from any attack. Detailed information will be mentioned insecure cookies.
Security of Cookies
As we discussed, the cookie contains session information, so they should not be accessible to the attacker.
We can adopt below-mentioned procedures for cookie attributes to secure our cookies.
- Secure Attribute - Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel(HTTPS). We can set a secure flag to a cookie so it will be accessible only on the secure tunnel i.e HTTPS and not on the insecure tunnel i.e HTTP.
- HttpOnly Attribute - HTTPOnly attribute should always be set. This attribute aids in securing the cookie from being accessed by a client side scripts. Noted this attribute is not supported by every browser.
- Domain Attribute - Verify that the domain has not been set too loosely. For example, if the application resides on server app.myserver.com, then it should be set to “domain=app.myserver.com" and not as “domain=myserver.com" as this would allow other potentially vulnerable servers such as test.myserver.com to receive the cookie.
- Path Attribute - Verify that the path attribute, just as the Domain attribute, has not been set too loosely. For example, if the application resides at /app/, then verify that the cookies path is set to "path=/myapp/" and NOT "path=/" as this would allow path such as /attack/ to receive the cookie.
- Expires Attribute - If this attribute is set to a time in the future verify that the cookie does not contain any sensitive information. For example, if a cookie is set to “expires=Sun, 31-Mar-2017 13:45:29 GMT" and it is currently Mar 3, 2017, then the tester should inspect the cookie. If the cookie is a session token that is stored on the user's hard drive then an attacker or local user (such as an admin) who has access to this cookie can access the application by resubmitting this token until the expiration date passes.
Authored By - Ayush Garg
TCS Enterprise Security and Risk Management
Rate this article: