Insufficient Cookie Access Control

Insufficient Cookie Access Control describes the situation in which the domain, path, and secure cookie attributes aren’t being used correctly to limit access to cookies containing sensitive information. Cookies are pieces of information stored on the client side and sent to the server with every client request. Because cookies are primarily used for authentication and maintaining sessions, securing a cookie effectively means securing a user’s identity. 

Insufficient Cookie Access Control can be avoided by properly setting cookie attributes. These attributes can then be used by the user-agent when determining cookie access rights. The “secure” attribute makes sure that the cookie will only be sent with requests made over an encrypted connection so that an attacker won’t be able to steal cookies by sniffing. The “domain” attribute signifies the domain for which the cookie is valid and can be submitted with every request for this domain or its subdomains. The “path” attribute signifies the URL or path for which the cookie is valid.