Contents
Cookies are sent within the HTTP header. Thus they are as secure as the HTTPS connection which depends on a lot of SSL/TLS parameters like cipher strength or length of the public key. Please keep in mind that unless you set the Secure flag for your Cookie, the Cookie can be transmitted over an unsecure HTTP connection.
Since the data in cookies doesn’t change, cookies themselves aren’t harmful. They can’t infect computers with viruses or other malware. However, some cyberattacks can hijack cookies and enable access to your browsing sessions. The danger lies in their ability to track individuals’ browsing histories.
How do you securely use cookies?
When using cookies its important to remember to:
- Limit the amount of sensitive information stored in the cookie.
- Limit the subdomains and paths to prevent interception by another application.
- Enforce SSL so the cookie isn’t sent in cleartext.
- Make the cookie HttpOnly so its not accessible to javascript.
To overcome the issue, we can use HTTPS when issuing the cookie and add the Secure flag to it: this instruct browsers to never send this cookie in plain HTTP requests.
Securing cookies is one of the most important aspects when implementing sessions on the web: this chapter will, therefore, give you a better understanding of cookies, how to secure them and what alternatives can be used. What’s behind a cookie? A server can send a cookie using the Set-Cookie header:
Can a cookie be set with the Secure attribute?
A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost), and therefore can’t easily be accessed by a man-in-the-middle attacker. Insecure sites (with http: in the URL) can’t set cookies with the Secure attribute.
As the name suggests, HTTP only cookies can only be accessed by the server during an HTTP (S!) request. The authentication cookie is only there to be sent back and forth between the client and server and a perfect example of a cookie that should always be marked as HttpOnly. Here’s how to do that in Web.config (extending on the code from before):