Cookie Flags

Description

Cookie Flags are security attributes that can be set on HTTP cookies to control their behavior and reduce security risks. Improperly configured cookie flags can leave an application vulnerable to various attacks, such as session hijacking, cross-site scripting (XSS) exploitation, and man-in-the-middle (MitM) attacks. Without the correct flags, an attacker might be able to steal authentication cookies, manipulate session data, or execute unauthorized actions on behalf of a user.

Cookies are often used for authentication (e.g., session tokens), user preferences, or tracking. Ensuring that security flags are set correctly is crucial for preventing unauthorized access and data leakage.

Examples

Missing HttpOnly Flag

If the HttpOnly flag is not set, JavaScript running in the user's browser can access the cookie via document.cookie. This makes it possible for an attacker to steal the session token using an XSS attack:

<script>
  alert(document.cookie);
</script>

If the session cookie is accessible in JavaScript, an attacker could exfiltrate it and hijack the session.

Missing Secure Flag

If a cookie lacks the Secure flag, it can be transmitted over unencrypted HTTP connections. This makes it susceptible to packet sniffing or MitM attacks, where an attacker intercepts the cookie data.

Example of an insecure cookie:

Set-Cookie: sessionid=abcd1234; Path=/; HttpOnly;

Without Secure, the cookie is sent over both HTTP and HTTPS. If an attacker can force the user to make an HTTP request, they might capture the cookie.

Missing SameSite Flag

The SameSite flag prevents Cross-Site Request Forgery (CSRF) attacks by restricting when cookies are sent with cross-site requests. If this flag is not set or is configured as SameSite=None without Secure, attackers can exploit CSRF vulnerabilities to perform actions on behalf of an authenticated user.

Example of a cookie missing the SameSite flag:

Set-Cookie: sessionid=abcd1234; Path=/; Secure; HttpOnly;

In this case, the cookie may still be sent with cross-site requests, allowing CSRF attacks.

Remediation

  1. Set HttpOnly to Prevent XSS-Based Theft

    • Ensures cookies are not accessible via JavaScript, preventing attackers from stealing session tokens through XSS.
    • Example:
    Set-Cookie: sessionid=abcd1234; Path=/; HttpOnly;

  2. Use Secure to Encrypt Cookie Transmission

    • Ensures the cookie is only sent over HTTPS and prevents interception over unencrypted HTTP traffic.
    • Example:
    Set-Cookie: sessionid=abcd1234; Path=/; Secure; HttpOnly;

  3. Enforce SameSite for CSRF Protection

    • Use SameSite=Lax or SameSite=Strict to prevent cross-site cookie transmission, mitigating CSRF attacks.
    • Example:
    Set-Cookie: sessionid=abcd1234; Path=/; Secure; HttpOnly; SameSite=Lax;

  4. Set Domain and Path Restrictions

    • Limit cookies to specific subdomains or paths to reduce the risk of unauthorized access.
    • Example:
    Set-Cookie: sessionid=abcd1234; Path=/account; Secure; HttpOnly; SameSite=Strict;