Ensure that cookies used in an HTTP session are never used in an HTTPS session. All cookies used within an HTTPS session should also be marked as secure so they are not transferred in clear text when accessing an HTTP section of the website. A cookie's secure flag can be set by using the Apache::Cookie Perl module. If the web server explicitly marks each cookie with a secure flag, then the web browser should theoretically respect this setting and only transfer the cookies over a secure connection.
Similarly, the cookie should also be marked with the HTTPOnly flag, which prevents client-side scripts from accessing the cookie value. This prevents attacks such as cross-site scripting from posting off your session identifier to an attacker in order to perform session hijacking. Unfortunately, not all browsers support the HTTPOnly flag, so you should check that your supported browsers do.
To guarantee that cookie reverse engineering can't happen, ensure that custom cookies and session identifiers use a proven secure algorithm, rather than one that the developer has simply put together. This will ensure that cookie values are not predictable and that session hijacking isn't possible using this method.
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.