Protecting Session Cookies

By Paladion

September 15, 2004

How should I protect the session cookie in my web application from getting stolen?

  1. Use strongly random strings for the session token.
  2. Set the "secure" attribute for the session cookie.
  3. Set the "httponly" attribute for the cookie.
  4. All of the above.

The correct answer to the quiz is 4) All of the above.

The session cookie is a token that identifies the session of an authenticated user. An adversary could hijack the session of a user if he gets hold of the session token. There are 3 ways an adversary could get the session cookie: guessing, eavesdropping or stealing from the user's browser. Different techniques are available to minimize the occurrence of each.

To ensure the session token cannot be guessed, use long and strongly random strings that cannot be predicted. The session cookies that most platforms generate today are strongly random--developers are advised to use them instead of developing their own scheme.

Eavesdropping for session cookies can be prevented by encrypting the connection over which these tokens are sent. Since cookies for a specific domain are sent in all requests to that domain, and as an SSL-enabled site might have non-SSL resources like gif images too, one should ensure that the session cookies are sent only in the SSL enabled connections. This can be achieved by setting the "secure" attribute for the session cookie.

Attackers can exploit Cross Site Scripting (XSS) vulnerabilities to force scripts to run on the victim's browser; these scripts might steal the session cookie and post it to the attacker. Browsers today support a cookie attribute called "httponly" that prevents scripts from reading a cookie. The session id is safe from XSS attacks if the httponly attribute has been set for the cookie while disabling the Trace command on the server.

Tags: Quiz