What are cookies and how to secure them

Posted By : Rajat Maan | 29-Aug-2022


What are cookies?


Cookies are small, more often password hashes files that are deposited in browser directories. Web developers use them to help users explore their websites and perform specific functions.

Cookies are produced when a user's browser retrieves a website. The website transmits data to the browser, which then saves it as a text file. Once the user returns to the same website, the computer retrieves and sends this file to the server.

The server also seems to use session id to display analysis of user page activities so that users can quickly pick up under which they left off on the customer's pages. Web pages do not have any' memory' by default. Muffins tell the server whether the pages show the customer so that the user does not have to remember or actually the site.


Difference between cookies and Session cookies:


Online sites do not have memories. The web page will treat a user who navigates from page to page as if they are an entirely different visitor. Session cookies allow the website you're touring to track your moves from page to page, preventing you from being asked for information you've just now given the site. Cookies allow you to explore quickly and easily through many website pages without obtaining to log in or reprocess each new area you visit.

Session users should be able users to be understood within a website, so that any page changes, items, or data offerings you make do remember from page to page. The online ordering feature of any e-commerce site is the most obvious form of this functionality. When you visit one page of an archive and select some items, the session cookie remembers your selection so that when you are ready to check out, your shopping cart will include the items you selected. If you click Payment process without using user data, the new page will not recognize your activities on previous pages, and your shopping basket will always be empty.


Life without Cookies :


Websites and servers could even work properly without cookies. A cookie, like a key, allows for quick text from one location to the next. Without a cookie, every time you open a new web browser, the server that big supermarkets that page will treat you as if you were a completely new visitor.

They are used to speed up and simplify online browsing by equipping given web websites to remember your personality, such as your IP address or passwords, as well as your individual preferences, such as when Amazon suggests a book or music CD that is similar to what you were gazing for on your previous visit.


How Secure are Cookies? How Long Does a Cookie Last?


Examine all responses where a cookie is set by the application (using the Set-cookie directive) and trap them using an intercepting proxy or data intercepting plug. Then, examine the cookie for the following:


  1. Secure Attribute: A cookie must be passed through an IPsec tunnel whenever it includes sensitive data or is a journey token. For instance, after authenticating into applications and defining a session token with the help of a cookie, make sure the session token is marked with the "secure" flag. If it's not, the browser would agree to send it via an unencrypted, like HTTP, and an adversary could trick users into submitting their cookies over that channel.
  2. HttpOnly Attribute - Even though not all browsers allow it, this attribute should always be set. This attribute helps to protect the cookie from being accessible by a client-side script; it reduces some exploitation vectors but does not completely eliminate the risk of cross-site scripting. Verify whether the "; HttpOnly" tag is set.
  3. Domain Attribute - Make sure the domain's options aren't too relaxed. It should only be set for the server that needs to get the cookie, as was specified before. For instance, if the game is hosted on server app.mysite.com, it should be set to "; domain=app.mysite.com" rather than "; domain=.mysite.com," as the latter would permit the cookie to be sent to other, potentially insecure servers.
  4. Path Attribute - Be certain the path attribute hasn't been set too freely, just like the domain attribute. If the path is set to the filesystem "/," even if the District attribute has been set up as tightly as feasible, it may be vulnerable to less secure applications running on the same server. Check that the cookies path is set to "; path=/myapp/" and NOT "; path=/" or "; path=/myapp", for examples, if the application is stored at /myapp/. You'll see that myapp must be followed by a trailing "/" in this example. The browser will transmit the cookie to any path that contains "myapp" such as "myapp-exploited" if it is not utilised.
Related Tags

About Author

Author Image
Rajat Maan

Rajat is a self-motivated, hard-working person and always ready to face new challenges. He has a good knowledge of Manual Testing techniques and Automation Frameworks.

Request for Proposal

Name is required

Comment is required

Sending message..