What is it?

• a piece of data stored in browser.
• can be set by:
  • client: via Javascript.
  • server: via HTTP response header.
• cookie is automatically passed to server in header of request.
• cookies of separate domains are kept separately so that cookie of domain A cannot be accessed via domain B. This still can be exploited by XSS attack.

Cookie's attribute

• Domain
• Path: define the path can access the domain's cookies => we should restrict the cookies access to a particular set of Path (instead of default / all path) so reduce the XSS attack surface.
• Expiration: set the time when a cookie will be removed. Default expiration is session time, when browser closes, cookie will be removed.
• HttpOnly: if set to false, client script can read it => XSS attack
• Secure: if set to false, cookies can be sent via http connection => Man in the middle attack

• SameSite

• This flag help browser to decide whether to send the third-party cookies along with a cross-site request or not:
  • third party cookies: when you access website a.com but that page includes content (image, link..) from b.com, cookies set by b.com will be considered third-party cookies.
  • those cookies allow services like Facebook, Google Analytics, Doubleclick, etc. to track users and provide online-advertisements
  • those cookies have the potential for CSRF attack: attackers can trick the user into access a malicious link that, in turn, makes a "forged" request to the trusted site a.com. If the Same-Site flag is not set properly, all cookies of a.com will be sent along with the makeup request (including authentication cookies) => allow the hacker to perform the action they want without user's awareness.
  • SameSite cookie value:
    • None: this is the default value before Chrome 80, by default cookies will be able to be used across sites
    • Lax: allows top-level navigation (navigation that changes the URL in browser) with a safe HTTP method, like HTTP GET to access the cookies. In other words, the cookie will not be sent with cross-domain POST requests or when loading the site in a cross-origin frame, but it will be sent when you navigate to the site via a standard top-level <a href=...> link.
    • Strict: cookies with this setting can be accessed only when visiting the domain from which it was initially set. In other words, Strict completely blocks a cookie being sent to a.com when a page from b.com makes the request. For example, if Facebook login cookie is set to Strict SameSite, and you click a facebook link from Google, the requested Facebook page will require you to login again because the login cookie is not sent along with the request.
  • Set SameSite flag to Lax or Strict helps to mitigate the CSRF attack. However, this is not the silver bullet, Lax SameSite option doesn't cover all the CSRF attack surfaces, see more here.

Summary

• HttpOnly flag is essential when cookie is not required to be accessed via client code
• Any cookie holding sensitive data should always have Secure flag
• Limit the access scope of the cookie via Path flag
• Set the Expiration time as soon as possible.
• Consider set the SameSite cookie value to Lax or Strict to mitigate CSRF attack.