Cookies — Be careful when storing it!

Photo by Joshua Bedford on Unsplash

Cookie — Is the “cookie” harmless?

Server and client communicate with each other via the HTTP protocol. Characteristics of this protocol are stateless. The server cannot know if 2 requests are coming from the same client or not.

  • Name, accompanied by value: The cookie name and the value of the cookie
  • Domain: Domain where the cookie is being sent. As shown below, cookies are only sent when the client accesses
  • Expiration: The time the cookie stays on the client's computer. After this time, the cookie will be deleted.
Cookie — Is the “cookie” harmless?

Security errors that cookies can cause

As I said, cookies are sent with each request to the server. The server relies on cookies to identify users. Therefore, if we can “steal cookies” from another person, we can impersonate that person.

Photo by Campaign Creators on Unsplash
  • Sniff cookies over the network: Using some simple tools to sniff like Fiddler, Wireshark, we can steal cookies from users on the same network. Then use EditThisCookie to dump this cookie into your browser to impersonate the user. (See the HTTP post demo).
  • Cookie thief with XSS: With XSS vulnerability, hackers can run malicious code (JavaScript) on the user’s side. JS can read the value from the cookie with the document. Cookie function. Hackers can send this cookie to their server. This cookie will be used to impersonate the user.
  • Cross-site request forgery (CSRF) attacks. Hackers can post an image link like The browser will automatically load the link in the image; of course, there are cookies included. The image link will read the cookie from the request, confirm the user, and withdraw the money without the user’s knowledge. This attack method has many variations, which I will clarify in the following article.


Please repeat the nth time, you learn how to attack the Website to know that prevention should not be used to hack and destroy villages. If you encounter a security hole in any other website, please send an email to the admin so they can fix it, don’t hack and show off Facebook.

  • Remember to set Expired and Max-Age: To minimize the damage when cookies are stolen, you shouldn’t let cookies stay alive for too long. Should set the lifetime of the cookie in about 1 day to 3 months, depending on the request of the application.
  • Use Flag HTTP Only: Cookies with this flag are not accessible through the document.cookie function. Therefore, even if the web has an XSS error, a hacker cannot steal it.
  • Use Flag Secure: This flag cookie is only sent over HTTPS protocol, hacker will not be able to sniff.
  • Because cookies are easy to attack, absolutely do not contain important information in cookies (Password, account number, …). If saving is required, it should be encrypted carefully.
Photo by John Salvino on Unsplash



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Always be nice to anybody who has access to my toothbrush.