📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • When are cookies sent
  • Cookie flags
  • The Secure flag
  • The HttpOnly flag
  • The SameSite flag
  • Source attribution

Was this helpful?

  1. Introduction
  2. Basic browser security concepts

Cookies

When are cookies sent

The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to. If the domain and path of the cookie match those of the request, the cookie is sent along with the request.

Cookie flags

Currently, three flags can be set on cookies:

  • Secure

  • HttpOnly

  • SameSite

The Secure flag

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Therefore, not only the Domain and Path of the cookie have to match those of the request, but the scheme must do so as well.

The HttpOnly flag

To help mitigate cross-site scripting (XSS) attacks, HttpOnly cookies are not accessible to JavaScript (e.g. through the Document.cookie API); they are only sent to the server. XSS will be covered later in the course, and we will then revisit this cookie flag.

The SameSite flag

The SameSite flag alters the behaviour of when cookies are sent with requests. While they are usually sent along with a request when the Domain and Path (and optionally scheme) matches, SameSite cookies are never sent cross-site (hence the name: SameSite cookie).

The SameSite flag can have three possible values:

  • None The browser will send cookies with both cross-site requests and same-site requests.

  • Strict The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the Strict attribute will be included.

  • Lax Same-site cookies are withheld on cross-site subrequests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.

Setting this flag provides some protection against cross-site request forgery attacks (CSRF). CSRF will be covered later in the course, and we will then revisit this cookie flag.

Source attribution

PreviousCross-Origin Resource Sharing (CORS)NextTracking

Last updated 3 years ago

Was this helpful?

Some parts of this page are based on by Mozilla Contributors, which is licensed under .

HTTP Cookies
CC-BY-SA 2.5