Encrypt it Or Forget it
In this lesson, we'll look at the secure directive.
We'll cover the following
Introduction
Cookies contain very sensitive information. If attackers can get a hold of a session ID, they can impersonate users by hijacking their sessions.
Most session hijacking attacks usually happen through a man-in-the-middle who can listen to the unencrypted traffic between the client and server and steal any information that’s been exchanged. If a cookie is exchanged via HTTP, then it’s vulnerable to MITM attacks and session hijacking.
To overcome the issue, we can use HTTPS when issuing the cookie and add the Secure
flag to it. This instructs browsers to never send this cookie in plain HTTP requests.
Example
Going back to our practical example at https://github.com/odino/wasec/tree/master/cookies, we can test this out by navigating to https://wasec.local:7889/?secure=on. The server sets two additional cookies, one with the Secure
flag and one without
Get hands-on with 1400+ tech skills courses.