Cookies are widely used throughout the Web because they allow publishers to store data directly on the user’s Web browser. They’re particularly used to identify the user’s session, allowing the web server to recognize the user as they navigate through the site, and generally contain sensitive data. You have to properly protect them.
The Set-Cookie HTTP header
A small reminder: each time a server responds to a request, the HTTP response may contain a
Set-Cookie metadata asking the web browser to create one or more cookies associated to one or more domains. Those cookies retain information that will be transmitted in future requests on these domains.
Here is the syntax of such a header:
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
Every cookie is identified by its name and retains a value. A lifetime and/or expiry date can be defined, to limit data retention over time. Note that if both attributes are set then the lifetime value (max-age) will prevail.
By default, a cookie is always associated with the location of the current document (domain as well as path) but the Set-Cookie header can define custom values to restrict or extend those hosts to which the cookie will be sent (for example, if a domain is specified, subdomains will be included). Consequently, one of the best practices regarding the security of cookies is to properly manage their scope.
The last 2 attributes,
HttpOnly deal specifically with security. Please note that they do not require any associated value: their very presence is enough for the browser to behave as expected when it comes to the cookie.
Prevent the use of a cookie on the client side with HttpOnly
Forbid to use a cookie without HTTPs thanks to the Secure flag
What if a user comes to your website via HTTP, simply because he’s typing your URL without mentioning “https://”? This could also happen if your web page contains mixed content.
Setting an HTTP Strict Transport Security (HSTS) header, that will enforce HTTPS usage for all the upcoming visits, will limit the risks related to the first scenario. But all the browsers do not support this header… Still, the first visit remains an issue. About the second scenario, the Content Security Policy can prevent from any mixed content risk with browsers that support “Upgrade Insecure Requests” policy.
Actually, only the secure attribute will let you forbid a cookie to be ever transmitted via simple HTTP.
The interest of this flag is clearly mentioned in the RFC HTTP State Management Mechanism:
Servers that require a higher level of security SHOULD use the Cookie and Set-Cookie headers only over a secure channel. When using cookies over a secure channel, servers SHOULD set the Secure attribute (see Section 220.127.116.11) for every cookie. If a server does not set the Secure attribute, the protection provided by the secure channel will be largely moot.
Obviously, keep in mind that a cookie using this secure flag won’t be sent in any case on the HTTP version of your website. So be careful if your website still has got both HTTPS and HTTP areas.
As a conclusion, do not forget that our web page analysis tool will let you ensure at a glance that all of your cookies are secured, by checking if HttpOnly and secure are properly used!