Cookies/Flags
Contents
Secure
The Secure flag indicates that a cookie may only be transmitted to the server via HTTPS, never via HTTP.
HttpOnly
This flag indicates that a cookie can't be accessed through means other than HTTP transmission. That is, no Javascript, Flash or whatever client-run technique can access this cookie, i.e. it is not to be accessed by the client directly.
This flag protects the cookie from cross-site scripting attempts to steal the cookie (as could be done to steal a session).
Path
The Path flag specifies which sub-part of a domain may access a cookie. Very useful when hosting on free hosters such as Geocities or ISP hosts. Indeed, if http://www.geocities.com/mysupersite sets a cookie without putting the Path=/mysupersite flag, then http://www.geocities.com/myevilsite can steal all the cookies from mysupersite, who will therefore starve. Uncool, isn't it? :(.
Domain
Domain serves the opposite purpose of Path, that is, it expands a cookie's scope beyond the FQDN that set it, to a broader domain.
Say you have a cookie that has been set by http://savitri.staff.blackhatacademy.org. By default, http://hatter.staff.blackhatacademy.org can't access it. But if the first wants to share it with the second, then by setting Domain=.staff.blackhatacademy.org, this cookie is also obtained by http://hatter.staff.blackhatacademy.org
Note that if you specify another, same-level domain (that is, http://savitri.staff.blackhatacademy.org sets a cookie with Domain=errprone.staff.blackhatacademy.org), the result is not guaranteed, as your browser might reject this cookie.
Savitri says |
---|
this is to be checked and tested extensively, as it might be an interesting vector |