Cookie Security

Cross-site scripting, man-in-the-middle attack, cross site request forgery are the types of attacks involve cookies and the malicious actions like forging, reusing or accessing the cookies. It is required that the developers can use to reduce the risk of attackers accessing, forging, reusing the values of the cookies with sensitive data like session ids, authentication data, user sessions etc. The developers can configure specific parameters along with cookie values while creating he cookies using the Set-Cookie HTTP response header in order to provide protection to the cookies.

Set-Cookie HTTP header attributes that can be used to improve cookie security are

1 Expires and Max-Age attribute :

If Expires attribute is not set the cookie is removed as soon as the browser is closed.

Max-age is same as Expires attribute, but it uses seconds instead of an actual date.

Expires and Max-Age attributes should only be used when it is extremely required. Since these attributes make the cookies persistant cookies.

Syntax

Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>
Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<number>

Example

Set-Cookie: id=a3fWa; Expires=Wed, 18 Jan 2023 07:28:00 GMT
Set-Cookie: id=a3fWa; Max-Age=2592000

2 Secure Attribute :

Setting the secure flag prevents the cookie from ever being sent over an unencrypted connection. It basically tells the browser to never add the cookie to any request to the server that does not use an encrypted channel.

Syntax

Set-Cookie: <cookie-name>=<cookie-value>; Secure

Example

Set-Cookie: __Secure-ID=123; Secure; Domain=example.com
Set-Cookie: __Host-ID=123; Secure; Path=/

3 HttpOnly Attribute

Without this flag, cookies can be set and read using JavaScript client-side scripts via document.cookie.

Syntax

Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly

Example

Set-Cookie: <cookie-name>=<cookie-value>; Secure; HttpOnly

4 SameSite Attribute

There are three possible values of SameSite attribute

• Strict : The cookie is only sent if you are currently on the site that the cookie is set for.
• Lax : The cookie is not sent for embedded content, but it is sent if you trigger top-level navigation, e.g. by clicking on a link to the site that the cookie is set for.
• None : The cookie is sent even for embedded content.

Syntax

Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Strict
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Lax
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=None; Secure

Example

Set-Cookie: secureid=1234; SameSite=Strict
Set-Cookie: secureid=1234; SameSite=Lax
Set-Cookie: secureid=1234; SameSite=None; Secure

The attributes Path and Domain should be avoided. While Domain attribute is set, the cookie can be sent to the subdomains as well for example if you set domain as example.com them the cookies can be sent to www.example.com as well as test.example.com. When the Domain attribute is not set, the cookie can only be sent to the same domain. Hence Domain attribute should be used only and only when it is necessary. Same way for Path attribute, when it is set, the cookie can be sent to all the subpaths. If you do not set the Path attribute, the default value is the path from which the cookie was set and all its subpaths. Hence, only when it is necessary this attribute should be set for a cookie.

To declare a cookie secure below should be ensured :

1. Do not provide Expires and Max-Age attributes so that the cookie is treated as session cookie.
2. Do not provide Path and Domain attributes so that the scope is limited to the same domain/path.
3. Provide HttpOnly, Secure and SameSite=Strict attributes.