CookiesIT SecuritySQL Injection

Protecting Cookies

Protecting Cookies: Since cookies are an integral part of the web applications, it is important to understand the methods that can be used to secure them properly.

While the developers of an application is ultimately he only person who can make changes to secure cookies in most cases, it is important to understand what they can do.

Earlier in Articles we discussed what cookies are and talked a little about what they are used for and how they may be compromised. Now let’s talk about setting attributes that can secure cookies and make them safer.


The following is a list of the attributes that can be set on a per-cookie basis, which makes them safer to use:


Secure: When this attributes is set on a cookie, it informs the browser that the cookie may only be sent over methods that are secure such as HTTPS.

However, in the event that a web application utilizes both HTTP and HTTPS, the cookie may inadvertently be passed in the clear.


HttpOnly: Setting this attribute defends against XSS attacks because the cookie can be accessed only via HTTP and not via scripts such as client-side JavaScript. It may not be supported in all browsers.


Domain: When this attribute is used, it verifies that the domain the cookie is being used with matches; then a second attribute known as the path attribute will be checked.


Path: When the domain attribute is set, the path can then specify the location or path the cookie is actually valid for.

It is important when using this attribute that you use as restrictive a path as possible to avoid attacks launched from co-located applications.


Expire: This attribute offers strong protection against misuse of cookies because it actually deletes the cookie when the expiration date is exceeded.

However, until the date is exceeded, the cookie will continue to be accessible and used by the current browser session and all the following session.

If the attribute is not specifically set, then the cookie will be deleted once the current browser session closed.

Related Articles

Leave a Reply

Back to top button