Secure cookie

Secure cookies are a type of HTTP cookie that have Secure attribute set, which limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent, typically web browser).[1] When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS).[1] Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity, this issue is officially referred to as Weak Integrity.[1] However, some browsers, including Chrome 52 and higher and Firefox 52 and higher, forego this specification in favor of better security and forbid insecure sites (HTTP) from setting cookies with the Secure directive.[2]

Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can't offer real protection.[2] Secure attribute is not the only protection mechanism for cookies, there are also HttpOnly and SameSite attributes. The HttpOnly attribute restricts the cookie from being accessed by, for instance, JavaScript, while the SameSite attribute only allows the cookie to be sent to the application if the request originated from the same domain.

Background

An HTTP cookie is a small packet of data[3] that is sent from a web server to a user's web browser. Since HTTP is a stateless protocol, it cannot relay information from one page to the other and so there was a need of a cookie. There are two types of cookies:

The cookies could contain sensitive information such as passwords and credit card numbers. These are sent over an HTTP connection and are stored in web browsers as plain text, and so can be targeted and be used by attackers to steal the information stored in it. To prevent such information exposure cookies are secured with attributes.

Various cookie hijacking techniques exist.[4] All the methods are not difficult to implement and can do a significant damage to a user or an organization.

Network threats

Cookies that are sent over unencrypted channels can be subject to eavesdropping, i.e. the contents of the cookie can be read by the attacker.

End system threats

Cookies can be stolen or copied from the user, which could either reveal the information in the cookies or allow the attacker to edit the contents of the cookies and impersonate the users.

The attacker can try to impersonate a website by accepting cookies from the users. Once the attacker gets the cookies, he can use these harvested cookies for websites that accept third-party cookies.

See also

References

  1. 1 2 3 Barth, A. (April 2011). "RFC 6265 - HTTP State Management Mechanism". IETF RFC.
  2. 1 2 "HTTP cookies". MDN Web Docs. Retrieved 2018-10-06.
  3. Bortz, Andrew; Barth, Adam; Czeskis, Alexei. "Origin Cookies: Session Integrity for Web Applications" (PDF). Archived (PDF) from the original on 2018-05-13. Retrieved 2018-05-13.
  4. Zheng, Xiaofeng; Jiang, Jian; Liang, Jinjin; Duan, Haixin; Chen, Shuo; Wan, Tao; Weaver, Nicholas (2016-08-12). "Cookies Lack Integrity: Real-World Implications" (PDF). Proceedings of the 24th USENIX Security Symposium. ISBN 978-1-931971-232. Archived (PDF) from the original on 2018-05-13. Retrieved 2018-05-13.
  • "What is Secure Cookie? - Definition from Techopedia". Archived from the original on 2018-05-13. Retrieved 2018-05-13.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.