Secure Cookie Configuration
Properly configuring cookie attributes to prevent theft, tampering, and misuse of session and authentication cookies.
Description
Cookies are a primary mechanism for maintaining user sessions and storing authentication tokens in web applications. Insecure cookie configuration is a common vulnerability that can lead to session hijacking, cross-site request forgery, and information disclosure. Proper cookie configuration requires setting multiple security attributes that control how, when, and where cookies are transmitted.
The critical security attributes for cookies include: Secure, which ensures the cookie is only sent over HTTPS connections; HttpOnly, which prevents JavaScript access to the cookie, mitigating XSS-based session theft; SameSite, which controls cross-origin cookie behavior to prevent CSRF attacks; Domain and Path, which limit the scope of cookie transmission; and Max-Age/Expires, which controls cookie lifetime. Each attribute addresses a specific attack vector.
Beyond individual flag settings, secure cookie configuration involves using cookie prefixes (__Host- and __Secure-) that enforce additional browser-level constraints, keeping cookie payloads minimal (storing only a session ID rather than sensitive data), signing cookies with HMAC to detect tampering, and implementing proper session lifecycle management including secure generation, timeout, rotation on privilege changes, and complete invalidation on logout.
Prompt Snippet
Configure session cookies with all security flags: Secure, HttpOnly, SameSite=Lax (or Strict for sensitive operations), Path=/, and a reasonable Max-Age (e.g., 86400 for 24 hours). Use the __Host- cookie prefix to enforce Secure + Path=/ + no Domain attribute constraints. In Express, configure express-session or cookie-session with these flags explicitly. Sign cookies using a strong secret (32+ bytes) and rotate signing keys periodically. Store only opaque session IDs in cookies, never user data or JWTs containing PII. Implement session rotation on login/privilege escalation using req.session.regenerate().
Tags
Related Terms
HttpOnly & Secure Flags
Cookie attributes that prevent JavaScript access (HttpOnly) and restrict transmission to HTTPS (Secure), protecting against XSS and network interception.
SameSite Cookie Attribute
A cookie attribute that controls whether cookies are sent with cross-site requests, providing built-in CSRF protection.
CSRF (Cross-Site Request Forgery) Protection
Mechanisms to prevent unauthorized commands from being transmitted from a user that the web application trusts.
HTTPS Enforcement (HSTS)
Mechanisms that ensure all communication occurs over encrypted HTTPS connections, preventing protocol downgrade attacks.