Does a cookie can be security and not security? when it will be like this?

StackOverflow https://stackoverflow.com/questions/23074228

Question

As we know, a cookie with Secure attribute means that it just transmitted via a encrypted connection. so my question is if a cookie can be a security one and a not security one. if so, why or for what ?

Was it helpful?

Solution

As stated, a cookie can have a Secure flag.

If true, the cookie is only sent by the browser for HTTPS requests.

If false, the cookie is sent by the browser for both HTTP and HTTPS requests.

There is no setting for transmission solely on HTTP. The HTTPOnly flag simply stops it being accessible via JavaScript and other client-side languages, it does not affect its HTTP/HTTPS behaviour.

So by setting Secure to false, the cookie will be transmitted both encrypted and decrypted depending on the current protocol.

This is not recommended as the cookie value could be sniffed if sent over the HTTP connection, or forced to by an attacker (e.g. the attacker simply linking to the HTTP site in an image tag on their site will cause the value to be leaked - <img src="http://www.example.com/img.jpg" />).

OTHER TIPS

The Secure and HttpOnly attributes do not have associated values. Rather, the presence of the attribute names indicates that the Secure and HttpOnly behaviors are specified.

The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. If a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks.

The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).[37] Among others, Facebook and Google use the HttpOnly attribute extensively.

In short, it means that the 'Secure' attribute means it requires secure (ssl) transmission, for example HTTPS.

This is to prevent cookie theft or cookie hijacking. You can have a look at this wiki

You might also want to know about Cookie Encryption or Signed Cookie, a way to made your cookies safe from malicious cookie modification. Basically you append a hash to the cookie value and use it to verify the value of the cookie has not been modified.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top