DEV Community

Cover image for Security🔐 Concerns with Cookies🍪.
tanishmohanta
tanishmohanta

Posted on • Edited on

Security🔐 Concerns with Cookies🍪.

What actually cookie is Here
Cookies are small pieces of data stored in a user's browser by a website to remember certain information about the user or track their activities. Though cookies are generally secure when implemented correctly, there are some security concerns associated with them. Let's explore these security concerns in detail:

🔏Man-in-the-Middle (MitM) Attacks:

In a MitM attack, a malicious actor positions themselves between the user's browser (the client) and the web server. This allows the attacker to intercept and view the communication between the two parties. If the communication is not encrypted, the attacker can read sensitive data, including cookies, transmitted between the client and server.

Image description
Source: MITH

Mitigation:

To protect against MitM attacks, websites should enforce the use of HTTPS (HTTP Secure) for all data transmission. HTTPS encrypts the data exchanged between the client and server, making it extremely difficult for attackers to read or modify the information, including cookies.

So, developers should ensure that cookies containing sensitive information or authentication tokens have the Secure attribute set. When the Secure attribute is present, the browser will only send the cookie over an encrypted HTTPS connection, preventing its exposure over unsecured HTTP connections.

Example:

document.cookie = 'dark_mode=false; Secure';

Enter fullscreen mode Exit fullscreen mode

🔏Cross-Site Scripting (XSS) Attacks:

XSS attacks occur when an attacker injects malicious scripts into a website that is viewed by other users. The injected scripts execute within the context of the victim's browser, allowing the attacker to steal cookies, session information, or perform unauthorized actions on the user's behalf.

Image description
Source: XSS

Mitigation:

Developers must adopt strict input validation and output encoding practices to prevent XSS vulnerabilities. Any user-provided data displayed on the website should be thoroughly sanitized to prevent malicious scripts from being executed.

To minimize the impact of XSS attacks on cookies, the HttpOnly attribute should be used. By adding HttpOnly, the cookie can only be accessed by the server-side code and not by JavaScript running in the user's browser. This prevents malicious scripts from stealing cookie data using the Document.cookie API.

Example:

document.cookie = 'dark_mode=false; Secure; HttpOnly';

Enter fullscreen mode Exit fullscreen mode

🔏Cross-Site Request Forgery (CSRF) Attacks:

CSRF attacks involve tricking a user's browser into unknowingly making an unintended request to a different website where the user is authenticated. If the user is logged in to the targeted website, the request will be executed with their credentials, leading to potential account compromise or unauthorized actions.

Image description
Source: CSRF

Mitigation:

To defend against CSRF attacks, developers should implement CSRF tokens in their web applications. These tokens are unique for each user session and should be included in all requests that perform sensitive actions, such as changing account settings or making transactions. The server then validates the token to ensure that the request is legitimate and not an attempt to exploit CSRF vulnerabilities.

Moreover, the SameSite attribute can be used with cookies to mitigate CSRF risks. By setting SameSite=Strict, the browser ensures that cookies are only sent to the same site from which they originated, reducing the chances of unauthorized requests from other domains.

Example:

document.cookie = 'dark_mode=false; Secure; HttpOnly; SameSite=Strict';

Enter fullscreen mode Exit fullscreen mode

Alternatives to Cookies:

While cookies have been widely used for storing user information, modern web development offers alternative approaches:

  • 📌SessionStorage and LocalStorage: These are client-side storage mechanisms that allow developers to store data within the user's browser. Unlike cookies, these storages are limited to the current browser tab or window and are not sent to the server with each request. While useful for certain use cases, they lack server-side validation and are not suitable for managing user authentication.
  • 📌Token-Based Authentication (e.g., JWT): Token-based authentication provides a more secure way to manage user sessions and authentication. When a user logs in, the server generates a unique token containing user information and signs it cryptographically. The token is then sent to the client and included in subsequent requests. This approach eliminates the need for cookies to manage user sessions and provides better security against various attacks.

Happy Learning!! , Until next time🫂.
If you liked the article, do hit like😃.

Top comments (9)

Collapse
 
polaroidkidd profile image
Daniel Einars

localStorage is susceptible to XSS attacks AFAIK. The best way IMO is to handle it is using JWT tokens using the Set-Cookie header. Cookies set with this header cannot be interacted with using JS (but as I'm typing this, I might be wrong. Maybe it's possible to read them but I know you can't interfere with it in the response object since it's a "forbidden-response-header-name"). The JWT token is sent with every request and the backend can do the verification.

I don't know about session storage.

Collapse
 
tanishtt profile image
tanishmohanta

Thank you for taking the time to comment and share your insights! You're absolutely right about LocalStorage and XSS vulnerabilities. It's true that LocalStorage, being a client-side storage mechanism, is susceptible to certain types of attacks, including cross-site scripting (XSS).
To improve security, using JWT tokens with the Set-Cookie header is indeed a better approach. This method ensures that the cookies cannot be directly interacted with using JavaScript, thereby reducing the risk of unauthorized access and potential attacks.Token-based authentication, especially with JWT, offers enhanced protection against various web threats, including XSS. By verifying the token with each request on the backend, the server can ensure the validity of the user's session and provide an extra layer of security.

Collapse
 
kurealnum profile image
Oscar

Really clean and concise article; I should probably look into implementing some of these features when I develop my own projects (if they aren't automatically implemented)!

Collapse
 
tanishtt profile image
tanishmohanta

Thankyou! Oscar. Best of luck for your Project👏.

Collapse
 
fruntend profile image
fruntend

Сongratulations 🥳! Your article hit the top posts for the week - dev.to/fruntend/top-10-posts-for-f...
Keep it up 👍

Collapse
 
tanishtt profile image
tanishmohanta

Thankyou !!!.

Collapse
 
jeanfranois_couture_a35 profile image
Jean-François Couture

Just remember there is no alternative to cookies. We must understand the difference between the functionality, the payload and the vulnerabilities. The vulnerability mentioned in the article are related to web application in general and can compromise any data stored in the browser or the server (JWT included). When it comes to store session or other sensitive information we have the choice to do it on the server or the client. The safest place is server side. If you have to store information client side and want to receive your stored payload with every request, cookies does just that. If you store information that must not be tempered with while stored in the wild, like authorization, JWT is a solution. Keep in mind that JWT can be stolen using the same vulnerabilities. The only difference is that their content can't be altered by a legitimate user or an attacker.

Collapse
 
hmphu profile image
Phu Hoang

Thank You for your great explanations

Collapse
 
tanishtt profile image
tanishmohanta

Welcome !