- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Insufficient Cookie Access Control can be avoided by properly setting cookie attributes. These attributes can then be used by the user-agent when determining cookie access rights.
Two ways to ensure that cookies are sent securely and are not accessed by unintended parties or scripts: the “secure” attribute and the “HttpOnly” attribute.
The “secure” attribute makes sure that the cookie will only be sent with requests made over an encrypted connection so that an attacker won’t be able to steal cookies by sniffing. The "domain" attribute signifies the domain for which the cookie is valid and can be submitted with every request for this domain or its subdomains. The “path” attribute signifies the URL or path for which the cookie is valid.