Things You Don't Know About Cookies and How to Protect Them - Mohamed Shiralizadeh

Did you know session cookies are stored in an accessible database file? Learn how the SameSite and HttpOnly attributes are essential for protecting them from theft.

#1about 3 minutes

The origin and lifecycle of web cookies

Cookies were created by Netscape to maintain state, using the `Set-Cookie` header in responses and the `Cookie` header in subsequent requests.

#2about 4 minutes

How browsers store cookies on your local machine

Cookies are stored in an easily decryptable SQLite database file on the user's machine, posing a physical access security risk.

#3about 8 minutes

Configuring cookie name, value, and domain attributes

The `name` and `value` attributes define the cookie's data, while the `domain` attribute controls its availability across subdomains.

#4about 3 minutes

Managing cookie lifespan with expires and max-age

The `expires` and `max-age` attributes control cookie deletion on the client, but server-side session invalidation is also crucial for security.

#5about 4 minutes

Enforcing HTTPS connections with the secure attribute

Setting the `secure` flag on a cookie ensures it is only transmitted over an encrypted HTTPS connection, preventing it from being sent over insecure HTTP.

#6about 5 minutes

Mitigating XSS attacks with the HttpOnly attribute

The `HttpOnly` attribute prevents client-side scripts from accessing the cookie via `document.cookie`, which protects against session hijacking through XSS attacks.

#7about 5 minutes

Defining site vs origin for the SameSite attribute

Understanding the distinction between a "site" and an "origin" is key to correctly configuring the `SameSite` cookie attribute for security.

#8about 6 minutes

Using SameSite=None for intentional cross-site cookies

Setting `SameSite=None` allows cookies to be sent in all cross-site contexts, which is necessary for tracking and embeds but requires the `Secure` attribute.

#9about 10 minutes

Comparing SameSite Lax and Strict for security

`SameSite=Lax` (the default) allows cookies on top-level navigation, while `SameSite=Strict` provides maximum security by blocking them even in that scenario.

#10about 4 minutes

How browser privacy settings block third-party cookies

User privacy settings that block third-party cookies effectively override the `SameSite=None` attribute, preventing cross-site tracking regardless of the cookie's configuration.

#11about 3 minutes

Comparing cookies with local storage for authentication

Cookies are generally preferred over local storage for authentication tokens because of built-in browser security features like `HttpOnly` and `SameSite`.

#12about 5 minutes

The importance of continuous learning in web security

Developers must continuously refresh their knowledge of web security fundamentals to defend against evolving threats like supply chain attacks and AI-driven misinformation.

#13about 6 minutes

Clarifying max-age priority and cookie performance impact

The `max-age` attribute is prioritized over `expires` by modern browsers and is more efficient, while large cookies can degrade performance by increasing request header size.