Ensuring cookie security

Some cookies may not be properly secured in the client browser. Not securing cookies leaves the application vulnerable to man-in-the-middle and session hijacking attacks. To fix this issue, take the following precautions.

  • Enforce the use of SSL at all times to reduce the risk of cookies being intercepted on the wire.
  • In the web application server, set the secure and httponly flags on all cookies.
    • The secure flag tells the browser to send the cookie only over an HTTPS connection. You must enable SSL on all applications that communicate with each other if you set this flag.
    • The httponly flag prevents cookies from being accessed through a client side script.