Making your cookies and sessions secure is essential for any developer/programmer. Today at Codingsec we are going to go through what cookies are and how they relate to security. Within this article it will feature techniques such as limiting the cookie to certain domains, also paths within that domain. It will also demonstrate how to select what information to store, also protecting the cookie from cross site scripting exploits.
What are Cookies?
When the server wants to set a cookie it passes back a header named “Set-Cookie” with the key-value pair and also options.
With imminent requests the client sends its own header to the server so it acknowledges the name and value of its stored cookies. The server will not continue to send back the cookies, it will only send them if there is an alteration.
You can view the headers for yourself utilising the LiveHeaders plugin for Firefox.
Of course there issues for instance, the data has complete control over the client. Therefore all cookie data must be authenticated, when doing so it is significant that you avoid the storage of sensitive data. It is also important to understand that HTTP does not encrypt the headers in any way. If the connection isn’t made using SSL then data could be easily compromised by hackers.
Session cookies value is a simple ID and they have distinctly similar vulnerabilities as other forms of cookies. The immense strength of session cookies happens on server side, which is when the ID is used to extract data stored on the server. This method is extremely beneficial over storing data within the cookie itself of which are:
- Data can not be tampered with by the user.
- Large amounts of data can be stored without having to send it out with each request.
- Data that you don’t wish the user to have access to can also be stored.
Now let’s begin!
The initial process of securing your cookie is to limit it to compatibility with your application. This is vital within environments that offer support for diverse sites and applications. When restricting the cookie to applications that require them you limit the possibility of it being intercepted.
Below are the questions that you need to be asking yourself in order to make the process successful:
- What parts of the website need to access the cookie?
- Will the cookie require to function across sub domains?
- Will the cookie require to continue if the user leaves SSL areas of the website?
Time to configure your cookie
Using PHP configure the cookie using the “setcookie” function:
setcookie( name, value, expire, path, domain, secure, httponly);
setcookie( ‘username’, ‘Bob’, 0, ‘/’, ‘.example’ , false, false);
setcookie( ‘username’, ‘Bob’, 0, ‘/forums’, ‘www.example.com’, isset($_SERVER[“HTTPS”]), true);
In order to change cookie values for the session cookie needs “session_set_cookie_params” function. This needs to be requested before the session is active.
session_set_cookie_params ($expire, $path, $domain, $secure, true);
session_set_cookie_params(0, ‘/’, ‘.example’, false, false);
session_set_cookie_params(‘0, /forums’, ‘www.example.com’, isset($_SERVER[“HTTPS”]), true)e[“HTTPS”]), true);
Cookies are the simple technique of identity tracking used on a large number of websites. It is extremely significant to keep them secure to prevent unauthorized access to important data.
When compiling cookies it is key to:
- Limit how much sensitive information is stored within it.
- Keep the subdomains and paths down to prevent interception of sensitive data.
- Incorporate SSL so the cookie data is not sent as plain text.
If you like this article, comment it to below and don’t forget to share it.