Skip to main content

Home Secure cookie

Secure cookie

(also httpOnly cookie)

Secure cookie definition

A Secure cookie is an HTTP cookie with a Secure attribute set. With the Secure attribute set, the cookie must always be sent over an encrypted HTTPS connection (SSL/TLS) and never in plain text. The Secure feature protects cookies from active network attackers and protects the cookie's confidentiality. Scripting-based attacks and hacks are powerless,because it is used for storing information and for hypertext transfer protocol requests and data over the internet. With an unsecured connection, a network attacker can overwrite Secure cookies and make them less safe. Secure cookies don’t work for scripting languages like JavaScript.

Benefits of secure cookies:

  • The primary advantage of a secure cookie is that it prevents theft via cross-site scripting (XSS).
  • Cookies with the secure attribute cannot be accessed by malicious software or unauthorized parties. Further, the secure attribute ensures that the cookie is sent via an encrypted HTTPS request from the client.

Cookie hijacking techniques:

  • Network threats. If a cookie is sent via an unsecured connection, the attacker can potentially access its contents. Secure Sockets Layer (SSL) protocol in servers and web browsers can protect against such threats, but only if the cookies are present on the network. Instead of sending the entire data payload, cookies with only the sensitive information encrypted might be utilized.
  • End system threats. If an attacker manages to steal or copy a user's cookies, they could exploit that information to steal the user's identity or access other sensitive data.
  • Cookie harvesting. Accepting user cookies lets the attacker mimic a website. The attacker can use the stolen cookies on third-party websites. Cross-Site Scripting attacks exploit website vulnerabilities to show malicious user data.