Securing your Cookies from naughty ones!

When you were a kid, you tried your best to always secure your cookies, if you are a web application developer, you have to do the same today as well.

In web application context, Cookies are another form of information that is being generated by the web application, consumed by the client, and submitted back to the application server. Thus vulnerable to malicious activity and very critical for web application security.

There are two approaches that we should adapt for cookies security. First we should set cookies settings so that they are less vulnerable and secondly we should implement cookies consumption so that they pose no threat to our overall system.

Cookie Settings:

Following guidelines should be followed while setting cookie attributes.

Secure – Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel and secure attribute should be set.

HttpOnly – This attribute should always be set so that cookie cannot be accessed via a client side script such as JavaScript, and prevent Cross Site Scripting Attacks.

Domain – Make sure Domain has not been set too loosely.

Path – Make sure cookies path has not been set too loosely.

Expires – If this attribute is set too far in future, then make sure it does not contain any sensitive information. Better yet do not set this attribute so that cookie can be deleted from cookies cache when the current session ends.

Cookies Implementation:

Following guidelines should be followed while implementing cookies in order to secure web application.

    1. The session tokens (Cookie, SessionID or Hidden Field) should be random, unique, resistant to statistical and cryptographic analysis and do not promote information leakage, when large number of cookies are analyzed.

    2. Cookies should be formed so that memory overflow is not allowed.

    3. Cookie operations should not take place over unencrypted transport.

    4. Cookies should not be able to be forced over unencrypted transport, if it is allowed then these cookies should be made secure.

    5. Persistent cookies should be avoided, if not then they should be secure.

    6. Transient cookies should be configured properly.

    7. HTTP/1.1 /1.0 Cache-Control settings should be set properly to protect Cookies.

    8. It is suggested to use multiple cookies to make analysis difficult and avoid Brute Force Attacks.

    9. If somehow we can hide process of creation/modification of cookies (on pages), that would improve security.

    10. Issue a generic value for session id in cookie and reference real data at the server side, this will make analysis of session cookies difficult.

Hope you’ll be able to keep your cookies safe from other naughty kids around.