Cookies are pieces of information stored on the client side, which are sent to the server with every request made by the client. Cookies are generally used by web sites to track users’ personal preferences so that personalized content can be served to the user. Once the cookie is stored on the
client, the client browser automatically submits this name-value pair every time the user goes to the same site.
Cookies are primarily used for authentication and maintaining sessions. Hence, securing a cookie effectively means securing a user’s identity. Cookies can be secured by properly setting cookie attributes. These attributes are:
Secure
Domain
Path
HTTPOnly
Expires
Secure
One of the simplest and most common ways to steal data, including cookies, is sniffing. Sniffing can be defined as passively reading data that is being transmitted. In order to overcome this problem, we encrypt data before transmission. Encryption of data ensures that any potential attacker who sniffs traffic will not be able to steal clear text data, thus ensuring their safety.
However, many applications encrypt only the login page and other sensitive pages. Other requests such as those for image files are sent to the server using non-encrypted communication. But as cookies are also transmitted along with these requests, an attacker sniffing on a network will be able to steal session information from these cookies. Also, some sites allow access over HTTP as well as HTTPS. In cases like these, it becomes important to make sure the cookie is transmitted only over HTTPS connections and not HTTP. This can be done with the help of the ‘Secure’ attribute of a cookie.
The ‘Secure’ attribute makes sure that the cookie will only be sent with requests made over an encrypted connection and an attacker won’t be able to steal cookies by sniffing. However, we need to be very careful while setting this attribute,we must ensure that the response used to set the ‘Secure’ attribute is sent using an encrypted channel.
Domain and Path
The ‘domain‘ attribute signifies the domain for which the cookie is valid and can be submitted with every request for this domain or its subdomains. If this attribute is not specified, then the hostname of the originating server is used as the default value.
The ‘path‘ attribute signifies the URL or path for which the cookie is valid. The default path attribute is set as ‘/’.‘domain’ and ‘path’ cookie attributes must be properly set in an environment where subdomains and subfolders host different applications
HTTPOnly
When this attribute is set, client-side scripts are not allowed to access the cookie.
Expires
This attribute is used to set persistent cookies. It signifies how long the browser should use the persistent cookie and when the cookie should be deleted.
If this attribute is not specified, then the lifetime of the cookie is the same as that of browser session, i.e. it will be a non-persistent cookie.
we must ensure that the ‘Expires’ attribute is not set for a cookie containing sensitive information
References
http://paladion.net/blogs/
client, the client browser automatically submits this name-value pair every time the user goes to the same site.
Cookies are primarily used for authentication and maintaining sessions. Hence, securing a cookie effectively means securing a user’s identity. Cookies can be secured by properly setting cookie attributes. These attributes are:
Secure
Domain
Path
HTTPOnly
Expires
Secure
One of the simplest and most common ways to steal data, including cookies, is sniffing. Sniffing can be defined as passively reading data that is being transmitted. In order to overcome this problem, we encrypt data before transmission. Encryption of data ensures that any potential attacker who sniffs traffic will not be able to steal clear text data, thus ensuring their safety.
However, many applications encrypt only the login page and other sensitive pages. Other requests such as those for image files are sent to the server using non-encrypted communication. But as cookies are also transmitted along with these requests, an attacker sniffing on a network will be able to steal session information from these cookies. Also, some sites allow access over HTTP as well as HTTPS. In cases like these, it becomes important to make sure the cookie is transmitted only over HTTPS connections and not HTTP. This can be done with the help of the ‘Secure’ attribute of a cookie.
The ‘Secure’ attribute makes sure that the cookie will only be sent with requests made over an encrypted connection and an attacker won’t be able to steal cookies by sniffing. However, we need to be very careful while setting this attribute,we must ensure that the response used to set the ‘Secure’ attribute is sent using an encrypted channel.
Domain and Path
The ‘domain‘ attribute signifies the domain for which the cookie is valid and can be submitted with every request for this domain or its subdomains. If this attribute is not specified, then the hostname of the originating server is used as the default value.
The ‘path‘ attribute signifies the URL or path for which the cookie is valid. The default path attribute is set as ‘/’.‘domain’ and ‘path’ cookie attributes must be properly set in an environment where subdomains and subfolders host different applications
HTTPOnly
When this attribute is set, client-side scripts are not allowed to access the cookie.
Expires
This attribute is used to set persistent cookies. It signifies how long the browser should use the persistent cookie and when the cookie should be deleted.
If this attribute is not specified, then the lifetime of the cookie is the same as that of browser session, i.e. it will be a non-persistent cookie.
we must ensure that the ‘Expires’ attribute is not set for a cookie containing sensitive information
References
http://paladion.net/blogs/
%2Bdork%2Blist%2Binfosec%2Baffairs.png)
No comments:
Post a Comment