Hung Ngo's Blog

Securing cookies

Securing cookies

Hung Ngo's photo
Hung Ngo
·

6 min read

Hey everyone! Meet Cookie. Cookie is my girlfriend’s cat and today she will teach you a couple of things on how to secure your cookie, but first, let’s answer the old question “What are those cookies?”.

Cookies

A cookie is a small piece of data that is stored on a user’s computer by a web browser. It is often used to store user preferences, login information, and other pieces of data that a website may need to personalize the user’s experience. However, cookies can also be vulnerable to security risks such as cross-site scripting (XSS) and cross-site request forgery (CSRF).

What is an XSS and CSRF attack?

Cross-site scripting (XSS) is a type of web security vulnerability that allows an attacker to inject malicious code into a website. This code is then executed by the victim’s web browser, allowing the attacker to steal sensitive information or perform other malicious actions.

Cross-site request forgery (CSRF) is a type of web security vulnerability that allows an attacker to trick a victim into making unintended actions on a website. This can be done by tricking the victim into clicking on a link, submitting a form, or performing some other action that triggers a request to the website.

For example, suppose a victim is logged into their online banking account and is visiting a malicious website. The attacker can create a hidden form on the malicious website that submits a request to transfer money out of the victim’s account when the form is submitted. If the victim is still logged into their online banking account and submits the form, the request will be executed as if it were made by the victim.

Protecting cookies no Jutsu!

There are several ways you to secure cookies:

  1. Use the “HttpOnly” flag.

  2. Use the “Secure” flag.

  3. Use the “SameSite” flag.

  4. Use encrypted storage.

Let’s talk about them one by one.

HttpOnly and Secure flag

HttpOnly flag tells the browser that the cookie should not be accessible to client-side scripts. This can help to prevent cross-site scripting (XSS) attacks, in which an attacker injects malicious code into a website that is then executed by the victim’s browser.

Secure flag tells the browser that the cookie should only be sent over a secure connection (i.e., over HTTPS). This can help to prevent the cookie from being intercepted by a third party.

To set the HttpOnly flag on a cookie, you can include the flag in the “Set-Cookie” HTTP response header when you are sending the cookie to the browser. For example, in PHP, you can use the setcookie() function with the “httponly” option like this:

setcookie('my_cookie', 'value', time() + 3600, '/', 'example.com', true, true);

The seventh argument is the “secure” flag, and the eighth argument is the “httponly” flag. Setting both of these arguments to “true” will set the Secure and HttpOnly flags on the cookie, respectively.

Same-site flag

The same-site flag tells the browser that the cookie should only be sent with requests that originate from the same website that set the cookie. This can help to prevent cross-site request forgery (CSRF) attacks, in which an attacker tricks a user into requesting a website on behalf of the attacker.

To set the SameSite flag on a cookie, you can include the flag in the “Set-Cookie” HTTP response header when you are sending the cookie to the browser. The value of the SameSite flag can be either “Strict” or “Lax”. The “Strict” value specifies that the cookie should only be sent with requests that originate from the same site that set the cookie. The “Lax” value specifies that the cookie should be sent with requests that originate from the same site, but it may also be sent with “safe” requests made to a different site. “Safe” requests are typically made using methods that do not have the potential to modify data on the server. Here is an example written in PHP setting the policy to Strict.

setcookie('my_cookie', 'value', time() + 3600, '/', 'example.com', true, true, ['samesite' => 'Strict']);

Using an encrypted storage

If you are storing sensitive information in cookies (e.g., login credentials), you should consider using encrypted storage to further protect the data. This can help to prevent the cookie from being read if it is intercepted by a third party.

In PHP we can use “openssl_encrypt” function is to encrypt the plaintext data using the AES encryption algorithm with a 256-bit key and a random initialization vector. The random initialization vector is generated using the “openssl_random_pseudo_bytes” function, and it is prepended to the ciphertext before the data is base64-encoded and stored in the cookie.

When reading the cookie, the base64-encoded data is decoded and the initialization vector is extracted from the beginning of the data. The remaining ciphertext is then passed to the “openssl_decrypt” function along with the key and initialization vector, which is used to decrypt the data and return the original plaintext.

It is important to keep the key secret and to use a different key for each piece of data that you want to encrypt. You can choose a different encryption algorithm or key size if you prefer.

// Encrypt the data
$plaintext = 'sensitive data';
$key = 'my secret key'; // Should be stored elsewhere
$initializationVector = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
$ciphertext = openssl_encrypt($plaintext, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $initializationVector);

// Store the encrypted data in a cookie
setcookie('my_cookie', base64_encode($initializationVector . $ciphertext), time() + 3600, '/', 'example.com', true, true);

// Decrypt the data when reading the cookie
if (isset($_COOKIE['my_cookie'])) {
  $data = base64_decode($_COOKIE['my_cookie']);
  $iv = substr($data, 0, 16);
  $ciphertext = substr($data, 16);
  $plaintext = openssl_decrypt($ciphertext, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $initializationVector);
  echo $plaintext;
}

Conclusion

To secure cookies, it is important to use the “HttpOnly” flag to prevent client-side scripts from accessing them and reduce the risk of XSS attacks. You should also use the “Secure” flag to ensure that cookies are only sent over a secure connection (i.e. over HTTPS) to prevent them from being intercepted by a third party. The “SameSite” flag can also be used to limit the scope of a cookie to requests that originate from the same website that set the cookie, which can help to prevent CSRF attacks.

In addition to these measures, you should consider setting an expiration date for your cookies and encrypting sensitive data stored in cookies to further protect your users’ data. Regularly updating and patching your software can also help to fix any known vulnerabilities.

By taking these steps to secure your cookies, you can help protect your users’ data and improve the security of your web application.

If you have read so far, you might want to follow me on Mastodon or LinkedIn to be notified of any of my new content.

cookiesappsec