Web security: cookies

Tenth post in the web security series.

Cookies are used for different purposes but the most important one is for session tracking, since this functionality was not designed in the HTTP protocol.

There are several options for cookies that should be considered, especially for session cookies:

• Domain: specify for which domain the cookie is valid. Setting this value to .example.com, the web browser will use the cookie for example.com and its subdomains while not specifying it will make the browser send back the cookie for the domain only and not its subdomains.
• Path: specificy for which path in the website the cookie must be used. For instance setting it to /admin will make the browser send back the cookie only for pages in the /admin section.
• Expires/Max-Age: those are used for specifying the lifetime of the cookie, the first one by speficying the expiration date, the second one by specifying to litetime in seconds. The browser will delete the cookie when the expiration date is reached. If nothing is specified the cookie will usually be deleted when the user closes its browser.
• Secure: the cookie is sent only over HTTPS. For a session tracking cookie this option should be set and you should be using HTTPS only to prevent session hijacking.
• HttpOnly: with this option a cookie can't be retrieved with JavaScript (hence not be stolen in case of XSS vulnerability).

So a session tracking cookie for session with ID ABC1337 on domain example.com should be set with something like that:

Set-Cookie: SESSIONID=ABC1337; Domain=.example.com; Secure; HttpOnly