Securing Cookies with HttpOnly and secure Flags [Updated 2020]

Learn how to fight malware

Any program that runs can be disassembled, but that doesn’t mean it’s going to be easy. In this skills course you’ll learn

⇒ Anti-Debugging Techniques
⇒ Detecting Debuggers
⇒ Anti-Disassembly

Start your free trial

Introduction

Securing cookies is an important subject. Think about an authentication cookie. When the attacker is able to grab this cookie, he can impersonate the user. This article describes HttpOnly and secure flags that can enhance security of cookies.

HTTP, HTTPS and secure flag

When the HTTP protocol is used, the traffic is sent in plaintext. It allows the attacker to see/modify the traffic (man-in-the-middle attack). HTTPS is a secure version of HTTP — it uses SSL/TLS to protect the data of the application layer. When HTTPS is used, the following properties are achieved: authentication, data integrity and confidentiality. 

How are HTTP and HTTPS related to a secure flag of the cookie?

Let’s consider the case of an authentication cookie. As was previously said, stealing this cookie is equivalent to impersonating the user. When HTTP is used, the cookie is sent in plaintext. This is fine for the attacker eavesdropping on the communication channel between the browser and the server — he can grab the cookie and impersonate the user.

Now let’s assume that HTTPS is used instead of HTTP. HTTPS provides confidentiality. That’s why the attacker can’t see the cookie. The conclusion is to send the authentication cookie over a secure channel so that it can’t be eavesdropped. The question that might appear in this moment is: why do we need a secure flag if we can use HTTPS?

Let’s consider the following scenario to answer this question. The site is available over HTTP and HTTPS. Moreover, let’s assume that there is an attacker in the middle of the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Dawid Czagan. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ZP1GVB_uc9s/