Who stole the cookies?

Squirrel monkey in a tree eating a cookie

No, we are not talking about delicious double-chocolate cookies. Although I’ve really missed the fabulous Incus Data cookies during lockdown.

As you know, cookies are small text files. They are usually created by the web server, but are saved and managed by your browser.

Cookies can be harmless or incredibly dangerous. It all depends on how you use them.

Why we use cookies

HTTP is a stateless protocol. This means the web server does not know that you are the same client that sent a request for a different page a few seconds ago.

Cookies are the most common way to maintain state. When you log into a website like FaceBook, a cookie is created to keep you logged in.

Even on sites that don’t require a log in, cookies are used for many kinds of information. They might store your language or ad preference, which pages you’ve visited, or what products you searched for.

Cookies are sent back and forth between the browser and the server. The browser sends cookies to the server that matches the domain stored in the cookie.

Cookie theft

Cookie theft is a form of session hijacking.

Cookies are sent in the HTTP headers. If hackers can see a cookie, they can steal the cookie. Hackers can forge a request, and use the cookie data as if it were their own. Or they can forge new requests with modified cookie data.

If all your cookie contains is your language preference, this doesn’t matter. The problem arises when cookies store login credentials or other personal information. Then a hacker could use that information for fraudulent acts.

Golden cookie rule

The golden rule is simple: Never store valuable information in a cookie.

Other security tips

Here are a few other rules to prevent cookie hijacking:

  • Set cookie expiration dates. The longer the cookie is valid, the more opportunity for it to be stolen.
  • Set specific domain and path information. This is part of the principle of least privilege. Cookies should only have meaning where they are really required.
  • Set your cookies to be HTTPOnly. This prevents cookies from being exploited using cross-site scripting (XSS).
  • Set your cookies as “secure cookies” so that they can only be used over an HTTPS connection. (If you missed the earlier mail, you can catch up on the blog post about HTTPS.)
  • If your cookies are sensitive, encrypt the cookie data.

Those cookie warnings

You will have noticed that more and more websites have pop-up boxes to inform you that the site uses cookies. This is because of EU legislation, specifically the General Data Protection Regulations (GDPR) and the ePrivacy Directive (aka the Cookie Directive). According to these laws, cookies collect personal information. As such, a site must get active consent to use cookies, and users must have the option to withdraw that consent.

If you haven’t already, join our Security Spotlight series. You’ll get a weekly email about web application security.

Leave a Comment

Your email address will not be published. Required fields are marked *