Monday, February 21, 2011

Two cookie attributes you MUST be aware to secure your web app

There are two attributes of cookies that every web developer must be aware of to secure your web application. These two attributes doesn't save your application from all attacks, but at least they reduce the vulnerability to a great extent. These two attributes are:

  • HttpOnly
  • Secure
The first attribute HttpOnly says that the cookie is intended to be passed only as a part of HTTP communication. Hence it must not be available to the application (like JavaScripts running in the browser). So once you load a page, if you type "javascript:alert(document.cookie)" in the URL bar, you will not those cookies that have the HttpOnly flag set.

The second attribute Secure tells that the cookie should be sent as a part of the request if and only if the communication happens over a HTTPS channel. Typically login requests are sent over HTTPS channels. (If you are using a web app that is using HTTP for login page, its time you stop using it!). Typically, as a part of the login response, there will be two sets of cookies set. One that can be sent over both HTTP and HTTPS and another set that can be sent only over HTTPS. It is the cookies that are to be sent over HTTPS that serious parts of your web application should depend on. For e.g. check out of your shopping cart.

You can learn more about HttpOnly flag here and here.Also you can learn more about Secure flag in the wiki page.

No comments: