Secure cookies

Secure cookies are a type of cookie which is transmitted over encrypted HTTP connection or HTTPS connection. Since secure cookies do not work on scripting languages, they prevent malicious scripting attacks like Cross Site Scripting (XSS) used by hackers to steal information stored in the cookies. Thus secure cookies enhances security of cookies and prevents information misuse.

Background

HTTP Cookies is a small packet of data^[1] which is sent from a web server to a user's web browser. Since HTTP is a stateless protocol it cannot relay information from one page to the other and so there was a need of a cookie. There are basically two types of cookies:

Persistent cookies

Cookies which store information in user's browser for a long time.

Non- persistent cookies

Cookies which generally expire once the browser is closed.

The cookies containing important information like passwords, credit card numbers etc. are sent over an HTTP connection and are stored in web browsers as plain text, can be vulnerable and be used by attackers to steal the information stored in it. To prevent such information exposure we use secure cookies.

Security services provided

Authentication

Authentication^[2] is required whenever a cookie is sent over to the web server to verify it is the true user. If an attacker steals a cookie and tries to impersonate the user, he will be unable to authenticate. However, he would still be able to read the contents of the cookie.

Confidentiality

Some parts of the cookie which contain important information are encrypted, making it difficult or impossible for the attacker to read the contents of the cookie.^[3] There could be various fields of the cookie which could make use of confidentiality.^[2] They could be credit card numbers, social security numbers, encryption keys etc.

Integrity

Some form of checksum or hashing is implemented to provide integrity^[2] to the cookie. So even if an attacker tries to modify the contents of the cookie, the cookie should not be accepted by the web server.

The HTTP State Management Mechanism^[4] is the protocol which defines the cookie header fields. The header has a field to set the secure flag which if set, will make sure that the cookies are sent only over an encrypted channel i.e. HTTPS. This method only features a form of Confidentiality. However, the existing state of the art secure cookie protocols have all the three features mentioned previously.

Cookie theft and hijacking

Various cookie hijacking techniques^[5] exist; however, we can categorize them into three general categories: -

Network threats

Cookies which are sent over an unencrypted channel can be subject to eavesdropping, i.e. the contents of the cookie can be read by the attacker.

End system threats

Cookies can be stolen or copied from the user which could either reveal the information in the cookie or the attacker can edit the contents of the cookie and impersonate the users.

Cookie harvesting

Here the attacker will try to impersonate a website by accepting cookies from the users. Once the attacker gets hold of the cookies he can use this harvested cookies for websites which accept them. See third party cookies.

All the above described methods are not difficult to implement and can do a significant damage to a user or an organization.

Implementation

Java EE 6

In Servlet 6 the secure cookies can be implemented in the web.xml file. The code is shown below.

<session-config>
    <cookie-config>
    		<secure>true</secure>
    </cookie-config>
</session-config>

Asp.net

In Asp.net it can be done by setting the requireSSL flag to true in the web.config file.

<httpCookies requireSSL = “true” />

PHP

In PHP the cookie secure flag can be set in php.ini.

Session.cookie_secure = True

See also

• Session (computer science)
• Information security

External links

• "What is Secure Cookie? - Definition from Techopedia". 

References