Cookies are simply a file which contains small data e.g. what the language used by the client, visiting time to the website, it contains all the links to click on, most importantly the items to be added to the shopping baskets while doing online shopping on the client side.
1. Secure Attribute
2. HttpOnly Attribute
3. Expire Attribute
4. Domain and Path Attribute
Secure attribute sends the cookie data through encrypted channel because it informs the web browser.
if the secure attribute is not used then the attacker can intercept the packet by Burpsuite, Paros Proxy, Owasp Zap tools to do the MITM(Man In The Middle) attack.
The Attacker can hijack your session because Expire Attribute is not set for active sessions, so, it is mandatory to set expiration time it depends on the purpose of web applications to balance the usability and security for each session.it will decrease the time for attackers to hijack your session.
DOMAIN AND PATH ATTRIBUTE:
DOMAIN: In a simple way this attribute determines those hosts to which the cookies will be sentto set this attribute is a major concern to developers but it should not be set to loose.The domain is set for that server where the client wants to send cookies.
For Example: Important for Tester to check this
|TESTING BY OWASP ZAP|
Firebug in Mozilla Firefox to check the cookies attributes set properly or not
In this post i highly focused on cookies Secure, HttpOnly, Expire, Domain and Path attributes which are important to prevent session hijacking attack.