What is it?
- a piece of data stored in browser.
- can be set by:
- client: via Javascript.
- server: via HTTP response header.
- cookie is automatically passed to server in header of request.
- cookies of separate domains are kept separately so that cookie of domain A cannot be accessed via domain B. This still can be exploited by XSS attack.
Cookie's attribute
- Domain
- Path: define the path can access the domain's cookies => we should restrict the cookies access to a particular set of Path (instead of default
/
all path) so reduce the XSS attack surface. - Expiration: set the time when a cookie will be removed. Default expiration is
session time
, when browser closes, cookie will be removed. - HttpOnly: if set to false, client script can read it => XSS attack
- Secure: if set to false, cookies can be sent via http connection => Man in the middle attack

- SameSite

- This flag help browser to decide whether to send the third-party cookies along with a cross-site request or not:
- third party cookies: when you access website
a.com
but that page includes content (image, link..) fromb.com
, cookies set by b.com will be considered third-party cookies. - those cookies allow services like Facebook, Google Analytics, Doubleclick, etc. to track users and provide online-advertisements
- those cookies have the potential for CSRF attack: attackers can trick the user into access a malicious link that, in turn, makes a "forged" request to the trusted site
a.com
. If theSame-Site
flag is not set properly, all cookies ofa.com
will be sent along with the makeup request (including authentication cookies) => allow the hacker to perform the action they want without user's awareness. - SameSite cookie value:
- None: this is the default value before Chrome 80, by default cookies will be able to be used across sites
- Lax: allows top-level navigation (navigation that changes the URL in browser) with a safe HTTP method, like
HTTP GET
to access the cookies. In other words, the cookie will not be sent with cross-domainPOST
requests or when loading the site in a cross-origin frame, but it will be sent when you navigate to the site via a standard top-level<a href=...>
link. - Strict: cookies with this setting can be accessed only when visiting the domain from which it was initially set. In other words, Strict completely blocks a cookie being sent to
a.com
when a page fromb.com
makes the request. For example, if Facebook login cookie is set to Strict SameSite, and you click a facebook link from Google, the requested Facebook page will require you to login again because the login cookie is not sent along with the request.
- Set SameSite flag to
Lax
orStrict
helps to mitigate the CSRF attack. However, this is not the silver bullet,Lax
SameSite option doesn't cover all the CSRF attack surfaces, see more here.
- third party cookies: when you access website
Summary
HttpOnly
flag is essential when cookie is not required to be accessed via client code- Any cookie holding sensitive data should always have
Secure
flag - Limit the access scope of the cookie via
Path
flag - Set the
Expiration
time as soon as possible. - Consider set the
SameSite
cookie value toLax
orStrict
to mitigate CSRF attack.