- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Glossary
Insufficient Cookie Access Control describes the situation in which the domain, path, and secure cookie attributes aren’t being used correctly to limit access to cookies containing sensitive information. Cookies are pieces of information stored on the client side and sent to the server with every client request. Because cookies are primarily used for authentication and maintaining sessions, securing a cookie effectively means securing a user’s identity.
Insufficient Cookie Access Control can be avoided by properly setting cookie attributes. These attributes can then be used by the user-agent when determining cookie access rights.
Two ways to ensure that cookies are sent securely and are not accessed by unintended parties or scripts: the “secure” attribute and the “HttpOnly” attribute.
The “secure” attribute makes sure that the cookie will only be sent with requests made over an encrypted connection so that an attacker won’t be able to steal cookies by sniffing. The "domain" attribute signifies the domain for which the cookie is valid and can be submitted with every request for this domain or its subdomains. The “path” attribute signifies the URL or path for which the cookie is valid.
A cookie with the “HttpOnly” attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the ”HttpOnly” attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.