Two cookie attributes you MUST be aware to secure your web app
There are two attributes of cookies that every web developer must be aware of to secure your web application. These two attributes doesn't save your application from all attacks, but at least they reduce the vulnerability to a great extent. These two attributes are: HttpOnly Secure The first attribute HttpOnly says that the cookie is intended to be passed only as a part of HTTP communication. Hence it must not be available to the application (like JavaScripts running in the browser). So once you load a page, if you type "javascript:alert(document.cookie)" in the URL bar, you will not those cookies that have the HttpOnly flag set. The second attribute Secure tells that the cookie should be sent as a part of the request if and only if the communication happens over a HTTPS channel. Typically login requests are sent over HTTPS channels. (If you are using a web app that is using HTTP for login page, its time you stop using it!). Typically, as a part of the login response...