Cookie Security
Cookie attributes
Ultimate cookie:
Secure attribute
The Secure attribute indicates that the cookie is sent to a server only when a request is made with the https: scheme (except on localhost). It only protects the confidentiality of a cookie against MitM attackers - there is no integrity protection. Therefore, cookies with this attribute can still be modified either with access to the client's hard disk or from JavaScript.
Insecure sites http: can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75).
HttpOnly attribute
Cookies marked with the HttpOnly attribute are not accessible from JavaScript. The HttpOnly attribute only protects the confidentiality of a cookie. HttpOnly cookies can be replaced by overflowing the cookie jar from JavaScript.
Path attribute
The Path attribute indicates the path that must exist in the requested URL for the browser to send the Cookie header. It can be used to prevent unauthorized access to cookies from other applications on the same host.
The forward slash / character is interpreted as a directory separator, and subdirectories are matched as well. For example, for Path=/docs:
The request paths
/docs,/docs/,/docs/Web/, and/docs/Web/HTTPwill all match.The request paths
/,/docsets,/fr/docswill not match.
Cookie scope vs Same-Origin Policy
Isolation two different applications on shared host
Domain attribute
The Domain attribute defines the host to which the cookie will be sent.
If the
Domainattribute unspecified, it defaults to the host of the current document location, excluding subdomainsIE will always send to subdomains regardless
If the
Domainattribute is specified, cookies will be sent to that domain and all its subdomains
Expires attribute
The Expires attribute indicates the maximum lifetime of the cookie as an HTTP-date timestamp.
If the
Expiresattribute unspecified, cookie lifetime is equal to session lifetimeIt is up to the browser to decide when the session ends
Non-persistentsession cookies may actually be persisted to survive browser restart
References:
Max-Age attribute
The Max-Age attribute indicates the number of seconds until the cookie expires. If both Expires and Max-Age are set, Max-Age has precedence.
SameSite
The SameSite attribute prevents the browser from sending cookies along with cross-site requests. The SameSite attribute can have one of two values (case-insensitive):
Strict, means that the browser sends the cookie only for same-site requests, that is, requests originating from the same site that set the cookie. If a request originates from a URL different from the current one, no cookies with theSameSite=Strictattribute are sent.Lax, means that the cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site usingsafeHTTP methods (for example, when following a link). This is the default behavior if the SameSite attribute is not specified. Thesafemethods:GET, HEAD, OPTIONSandTRACE.None, means that the browser sends the cookie with both cross-site and same-site requests. TheSecureattribute must also be set when setting this value, like soSameSite=None; Secure.
References:
Cookie prefix
The cookie prefix allows you to pass metadata about a cookie and notify a client that certain attributes have been set. The following prefixes are supported:
__Secure-tells the browser that theSecureattribute is required.__Host-tells the browser that thePath=/andSecureattributes are required, and at the same time that theDomainattribute should not be present (and therefore, can not be sent to subdomains).
References:
Cookie-list sorting
Therefore, if a vulnerable application uses the first cookie, you can force it to use your cookie by adding the Path attribute with a longer path.
References
Last updated
