A secure cookie, also known as an httpOnly cookie, is a file that is stored on a user’s hard drive. It is used for transmitting http or https over the internet. HTTPS is a secure protocol and provides a secure method of sending data over your internet connection. It was a Microsoft extension originally. This mechanism was developed by Microsoft for IE6 SP1 to add some security. The idea is that secure cookies marked as httpOnly cannot be accessed from JavaScript. The benefit of secure cookies are they stop stealing through XSS vulnerabilities. Original versions of Mozilla Firefox did not support these but from Firefox v.2.0.0.5 onward it does.
Differences between Regular & Secure Cookies.
If a browser does not support HttpOnly and a website attempts to set a HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the typically session cookie becomes vulnerable to theft of modification by malicious script.
How do Secure Cookies work exactly?
A secure cookie works by providing the server a mechanism to store and retrieve state information on the client application’s system. This mechanism allows Web-based applications the ability to store information about selected items, user preferences, registration information, and other information that can be retrieved later. They work by two related headers set-cookie and cookie. The set-cookie header is set in response to the http request, which is used to create a secure cookie on the users system. The header is included by the client application with an HTTP request sent to a server, if there is a secure cookie that has a matching domain and path.
What is an HttpOnly cookie?
This contains a special ‘HttpOnly’ flag included in the http cookie header that ensures cookies will only be used when transmitting HTTP (or HTTPS) requests.
Combined the Secure setting and and HttpOnly flag help to introduce a more robust cookie that is less prone to attacks. Combined they allow the browser to restrict access to secure cookie data from scripts within the web browser. This limits the potential damage many cross site script attacks can cause– specifically, the attacks that target cookie data.