IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [cookies]

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site. The state information can be used for authentication, identification of a user session, user's preferences, shopping cart contents, or anything else that can be accomplished through storing text data on the user's computer.

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site. The state information can be used for authentication, identification of a user session, user's preferences, shopping cart contents, or anything else that can be accomplished through storing text data on the user's computer.

832 questions
39
votes
6 answers

Secure Session Cookies

While looking up methods for creating secure session cookies I came across this publication: A Secure Cookie Protocol. It proposes the following formula for a session cookie: cookie = user | expiration | data_k | mac where | denotes…
Uyghur Lives Matter
  • 480
  • 1
  • 6
  • 12
7
votes
1 answer

What will disabling third party cookies block?

What is the difference between 1st party cookies and 3rd party cookies and what are the pros and cons of disabling it? Will facebook and google (and other ad companies) be completely unable to track you when they're not in their site? What about if…
Knee
  • 71
  • 1
  • 2
7
votes
1 answer

is sameSite attribute redundant on httpOnly cookie?

If a cookie (auth cookie in particular) has httpOnly attribute set, does sameSite attribute add any other layer of security? From my understanding, sameSite is used to prevent CSRF, but httpOnly mitigates that, no? Only thing I can think of is that…
dwelle
  • 173
  • 1
  • 4
7
votes
3 answers

hashed username and password in remember me token?

The MVC Framework Symfony uses the following method in its creation of a remember me cookie: /** * Generates a hash for the cookie to ensure it is not being tempered with. * * @param string $class * @param string $username The username * @param…
Andresch Serj
  • 217
  • 1
  • 8
6
votes
1 answer

Cookie Tossing explained

Can someone explain to me what cookie tossing is? and how it can be used to hijack someone's session? and also how can we prevent it? I am a bit confused about this subject.
Jota Onasys
  • 161
  • 1
  • 2
6
votes
5 answers

Store username in cookie for a web site

I want to store the username for a web site in the coockie, is it secure? What an hacker can do with this info?
Jon smith optional
  • 131
  • 1
  • 2
  • 5
5
votes
1 answer

Should cookies expire?

Let's say I have an account on a blog. I'm using https on every single page of that blog through web server rules, so there is no way to visit the page in the clear text. I'm also using a laptop that utilizes full disk encryption, and I'm the one…
Mikhail Morfikov
  • 583
  • 1
  • 5
  • 15
5
votes
2 answers

anti-replay attack for secure cookies?

In the system that i'm working on, we are having some session cookies on the client side that we need to protect against the replay attack ! So I find the following paper http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf from this…
sgres
  • 129
  • 2
  • 8
5
votes
1 answer

Should cookies that contain non sensitive information be encrypted?

I'm in the process of creating a website and uses cookies to track user login. The only bit of information I store in this cookie is the users username. Should I be encrypting the username even though it isn't sensitive information such as a…
user22679
4
votes
1 answer

Storing users cookies in a database on a server

I want to use Apple Push Notification Service, so I need a server. This server will have to check a site every x minutes. How the site that has to be checked requires the user to login. So is it ok security wise to get the user to login on a web…
Jonathan.
  • 141
  • 1
  • 4
4
votes
1 answer

Cookie without secure flag but with httponly

I have a cookie that is httponly but without the secure flag. Under this condition, can an attacker capture the cookie, although the site is only on HTTPS?
moskino11
  • 117
  • 6
4
votes
3 answers

Are HttpOnly or Secure flags needed if no login?

My question is really simple, are HttpOnly or Secure flags needed if a website doesn't have a private part accessible with login?
ebdecastro
  • 97
  • 1
  • 8
4
votes
1 answer

Hashing cookie-values & preventing cookie-stealing

I have a problem with understanding how one would securely store a hashed cookie. And how to actually hash a cookie. This is the situation: Every visitor (not user, but also unregistered visitor) of the website gets his own 'secret page', there he…
O'Niel
  • 2,914
  • 3
  • 20
  • 31
4
votes
0 answers

Is there any risk if my Google Analytics cookies can be seen by an attacker?

In particular, I'm concerned about a scenario where I'm using GA cookies on a subdomain, e.g. alice.example.com, and the cookies are marked as .example.com, which means that a site on eve.example.com can see them. Can Eve do anything malicious with…
Roger Lipscombe
  • 2,337
  • 3
  • 16
  • 20
3
votes
4 answers

Some sites require that you accept cookies in order to use them. Does this mean that they can read/track my real IP?

The site I want to use says that it stores permanent cookies on my computer to track various things, for instance if I have two accounts with them. It says "Please note that if you set your browser to disable cookies, you may not be able to access…
Tesla
  • 49
  • 1
  • 2
1
2 3 4