No, we are not talking about delicious double-chocolate cookies. Although I’ve really missed the fabulous Incus Data cookies during lockdown.
As you know, cookies are small text files. They are usually created by the web server, but are saved and managed by your browser.
Cookies can be harmless or incredibly dangerous. It all depends on how you use them.
HTTP is a stateless protocol. This means the web server does not know that you are the same client that sent a request for a different page a few seconds ago.
Cookies are the most common way to maintain state. When you log into a website like FaceBook, a cookie is created to keep you logged in.
Even on sites that don’t require a log in, cookies are used for many kinds of information. They might store your language or ad preference, which pages you’ve visited, or what products you searched for.
Cookies are sent back and forth between the browser and the server. The browser sends cookies to the server that matches the domain stored in the cookie.
Cookie theft is a form of session hijacking.
Cookies are sent in the HTTP headers. If hackers can see a cookie, they can steal the cookie. Hackers can forge a request, and use the cookie data as if it were their own. Or they can forge new requests with modified cookie data.
If all your cookie contains is your language preference, this doesn’t matter. The problem arises when cookies store login credentials or other personal information. Then a hacker could use that information for fraudulent acts.
Golden cookie rule
The golden rule is simple: Never store valuable information in a cookie.
Other security tips
Here are a few other rules to prevent cookie hijacking:
- Set cookie expiration dates. The longer the cookie is valid, the more opportunity for it to be stolen.
- Set specific domain and path information. This is part of the principle of least privilege. Cookies should only have meaning where they are really required.
- Set your cookies to be
HTTPOnly. This prevents cookies from being exploited using cross-site scripting (XSS).
- Set your cookies as “secure cookies” so that they can only be used over an HTTPS connection. (If you missed the earlier mail, you can catch up on the blog post about HTTPS.)
- If your cookies are sensitive, encrypt the cookie data.
Those cookie warnings
If you haven’t already, join our Security Spotlight series. You’ll get a weekly email about web application security.