Making your cookies and sessions secure is essential for any developer/programmer.  Today at Codingsec we are going to go through what cookies are and how they relate to security. Within this article it will feature techniques such as limiting the cookie to certain domains, also paths within that domain. It will also demonstrate how to select what information to store, also protecting the cookie from cross site scripting exploits.

What are Cookies?

A cookie is a piece of information which is in the form of a small txt file which is stored on a web users hard drive/storage device. It is generated by a websites server, the information stored within the cookie itself is set by the server and the programming language. It is commonly made possible with the use of HTTP headers. When a developer/programmer has data that they require to last for more than one session they can use cookies to store that data on the client side. A cookie is often thought as a web users I.D. card of which tell the server when the user returns to the website.

When the server wants to set a cookie it passes back a header named “Set-Cookie” with the key-value pair and also options.

With imminent requests the client sends its own header to the server so it acknowledges the name and value of its stored cookies. The server will not continue to send back the cookies, it will only send them if there is an alteration.

You can view the headers for yourself utilising the LiveHeaders plugin for Firefox.


Of course there issues for instance, the data has complete control over the client. Therefore all cookie data must be authenticated, when doing so it is significant that you avoid the storage of sensitive data. It is also important to understand that HTTP does not encrypt the headers in any way. If the connection isn’t made using SSL then data could be easily compromised by hackers.

Session cookies value is a simple ID and they have distinctly similar vulnerabilities as other forms of cookies. The immense strength of session cookies happens on server side, which is when the ID is used to extract data stored on the server. This method is extremely beneficial over storing data within the cookie itself of which are:

  • Data can not be tampered with by the user.
  • Large amounts of data can be stored without having to send it out with each request.
  • Data that you don’t wish the user to have access to can also be stored.

Now let’s begin!

The initial process of securing your cookie is to limit it to compatibility with your application. This is vital within environments that offer support for diverse sites and applications. When restricting the cookie to applications that require them you limit the possibility of it being intercepted.

Below are the questions that you need to be asking yourself in order to make the process successful:

  • What parts of the website need to access the cookie?
  • Will the cookie require to function across sub domains?
  • Will the cookie require to continue if the user leaves SSL areas of the website?

Another option to limit the cookie is to restrict the access to it with the use of javascript. How and where to limit access of the cookie really depends on what sort of website or application you are running. For instance if your website or application is mainly e-commerce based then limiting the cookies to only SSL would be recommended. However if you are running a blog or news based website then normally you can be less strict on the cookie limitations.

Time to configure your cookie

Using PHP configure the cookie using the “setcookie” function:

setcookie( name, value, expire, path, domain, secure, httponly);


setcookie( ‘username’,  ‘Bob’, 0, ‘/’, ‘.example’ , false, false);

//Locked down

setcookie( ‘username’, ‘Bob’, 0, ‘/forums’, ‘’, isset($_SERVER[“HTTPS”]), true);

In order to change cookie values for the session cookie needs “session_set_cookie_params” function. This needs to be requested before the session is active.

session_set_cookie_params ($expire, $path, $domain, $secure, true);


session_set_cookie_params(0, ‘/’, ‘.example’, false, false);

//Locked Down

session_set_cookie_params(‘0, /forums’, ‘’, isset($_SERVER[“HTTPS”]), true)e[“HTTPS”]), true);


Cookies are the simple technique of identity tracking used on a large number of websites. It is extremely significant to keep them secure to prevent unauthorized access to important data.

When compiling cookies it is key to:

  • Limit how much sensitive information is stored within it.
  • Keep the subdomains and paths down to prevent interception of sensitive data.
  • Incorporate SSL so the cookie data is not sent as plain text.
  • Finally make the cookie only accesible by Http so it can not be compromised with javascript.

If you like this article, comment it to below and don’t forget to share it.

Leave a Reply