Questions tagged [cookies]

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site. The state information can be used for authentication, identification of a user session, user's preferences, shopping cart contents, or anything else that can be accomplished through storing text data on the user's computer.

789 questions

124

votes

3 answers

Session Authentication vs Token Authentication

I am trying to get a handle on some terms and mechanisms and find out how they relate to each other or how they overlap. Authenticating a theoretical web application and mobile application is the focus. The focus is on the exact difference between…

asked Feb 16 '15 at 09:04

Hoax

2,705
4
13
11

109

votes

4 answers

Do I need CSRF token if I'm using Bearer JWT?

Context: Angular site is hosted on S3 behind CloudFront, separate from Express server that is used as API and almost all requests are XMLHttpRequests. All requests are sent without cookies (withCredentials = false by default) and I use JWT Bearer…

cookies csrf node.js angularjs

asked Sep 29 '17 at 12:25

Igor Pomogai

1,193
2
8
7

votes

5 answers

How does Facebook track your browsing without third party cookies?

Facebook has served me an ad for a website I visited earlier in the day. I have third party cookies disabled and have not followed any links between the website and Facebook (links which could contain a tracking ID connecting my Facebook account to…

privacy cookies facebook user-tracking third-party

asked Nov 10 '19 at 13:54

Jesse

votes

5 answers

Can "Accept cookie" button in a website be malicious?

I don't remember when this "accept/cancel cookie" button started to be used in websites. Why do they insist on getting users to click on this button? Can it do any harm to user's PC or to collect any private and sensitive data? Their reason for…

web-browser javascript cookies websites

asked Oct 16 '18 at 12:02

0_o

1,142
1
9
19

votes

7 answers

Does a CSRF cookie need to be HttpOnly?

We were recently handed a security report containing the following: Cookie(s) without HttpOnly flag set vulnerability, which we apparently had in one of our internal applications. The applied fix was as simple as setting Django's…

http cookies csrf django

asked Dec 15 '17 at 04:01

alecxe

1,515
5
19
34

votes

5 answers

Why is passing the session id as url parameter insecure?

I recently followed a discussion, where one person was stating that passing the session id as url parameter is insecure and that cookies should be used instead. The other person said the opposite and argued that Paypal, for example, is passing the…

web-browser webserver cookies

asked Apr 23 '12 at 18:37

Jonathan Egerton

votes

2 answers

Are EU cookie consent forms safe?

Does the EU consent form system pose a new security risk? Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky. There are so many EU consent forms,…

web-browser cookies html

asked Sep 03 '18 at 10:08

LifeInTheTrees

votes

5 answers

What are the risks of just clearing cookies instead of logging off?

A typical web authentication workflow looks like this: User provides their credentials. Server validates credentials. If credentials are valid Server generates a token. Server keeps this token. Server responds to the login with this…

authentication cookies

asked May 31 '19 at 23:14

Joseph

votes

1 answer

Why use an authentication token instead of the username/password per request?

The author of https://stackoverflow.com/a/477578/14731 recommends: DO NOT STORE THE PERSISTENT LOGIN COOKIE (TOKEN) IN YOUR DATABASE, ONLY A HASH OF IT! [...] use strong salted hashing (bcrypt / phpass) when storing persistent login tokens. I was…

passwords authentication web-application cookies

asked Jul 18 '14 at 18:08

Gili

2,149
3
23
41

votes

3 answers

Why is it insecure to store the session ID in a cookie directly?

I am learning about session middleware. You have to supply a secret or the middleware complains: app.use(session({ secret: "abc", resave: false, saveUninitialized: false, store: new MongoStore({ mongooseConnection: mongoose.connection …

web-application cookies session-management

asked Jun 21 '15 at 12:21

Angular noob

votes

3 answers

For SameSite cookie with subdomains what are considered the same site?

For the samesite cookie attribute I'm not clear on if I set a cookie with domain .example.com from sub.example.com with the samesite attribute, if it will be considered the same site as other.example.com. Cookie behavior is different than CORS and…

cookies csrf

asked Dec 31 '19 at 00:44

derduher

votes

3 answers

How can I check that my cookies are only sent over encrypted https and not http?

I read a blog post GitHub moves to SSL, but remains Firesheepable that claimed that cookies can be sent unencrypted over http even if the site is only using https. They write that a cookie should be marked with a "secure flag", but I don't know how…

tls cookies encryption

asked Nov 11 '10 at 23:59

Jonas

5,063
7
32
35

votes

7 answers

Why isn't stealing cookies enough to authenticate?

I tried to export all my cookies through the 'Edit This Cookie' extension on a logged-in page which uses cookie authentication. While logged out I tried inserting those cookies hoping that I would be logged in, but nothing happened. After searching…

authentication cookies

asked Jan 29 '18 at 17:19

Kartikey singh

votes

2 answers

Will same-site cookies be sufficient protection against CSRF and XSS?

I must say, that I like this idea and it seems that it will bring a new form of protection against CSRF and XSS or at least it will reduce those attacks. So, how effective will this protection be? SameSite-cookies is a mechanism for defining how…

xss cookies csrf xssi same-site-cookies

asked Apr 30 '16 at 09:37

Mirsad

10,005
8
33
53

votes

4 answers

Can a webpage read another page's cookies?

I was listening to Pandora as I logged in here, and the next commercial was about InfoSec. That set me wondering as to whether that was a coincidence (probably) or if they knew somehow. To make a long story short, I was wondering whether a webpage…

web-application web-browser cookies

asked Jan 30 '14 at 20:10

KnightOfNi

2,247
3
18
23

2 3

…

52 53 Next