This post is part of the ”WASEC: Web Application SECurity” series, which is a portion of the content of WASEC, an e-book on web application security I’m currently writing.
Here is a list of all the articles in this series:
Web security demystified: WASEC
Understanding the browser
Security at the HTTP level
HTTP headers to secure your application
Hardening HTTP cookies
Imagine being a backend developer who needs to implement sessions in an application:
the first thing that comes to your mind is to issue a token to clients and ask them
to send this token with their subsequent requests. From there onwards
you are going to be able to identify clients based on the token included in their
HTTP cookies were born to standardize this sort of mechanism across browsers:
they’re nothing more than a way to store data sent by the server and send
it along with future requests. The server sends a cookie, which contains small bits of data,
the browsers stores it and sends it along with future requests to the same server.
Why would we bother about cookies from a security perspective? Because the data
they contain is, more often than not, extremely sensitive —
cookies are generally used to store session IDs or access tokens, an attacker’s holy grail.
Once they are exposed or compromised, attackers can
impersonate users, or escalate their privileges on your application.
Securing cookies is one of the most important aspects when implementing sessions
on the web: this chapter will, therefore, give you a better understanding
of cookies, how to secure them and what alternatives can be used.
Read on →