Note that both HTTP and HTTPS responses can set the secure
attribute. Thus, an HTTP request/response can alter a secure cookie set over
HTTPS. This is a big problem for some advanced man-in-the-middle attacks.
Chapter 2: Cross-Site Scripting 27
??? expires Usually, cookies are deleted when the browser closes. However, you
can set a date in the Wdy, DD-Mon-YYYY HH:MM:SS GMT format to store the
cookies on the user??™s computer and keep sending the cookie on every HTTP
request until the expiry date. You can delete cookies immediately by setting the
expires attribute to a past date.
??? HttpOnly This attribute is nowrespected by both Firefox and Internet Explorer. It
is hardly used in web applications because it was only available in Internet Explorer.
If this attribute is set, IE will disallow the cookie to be read or written via JavaScript??™s
document.cookie. This intended to prevent the attacker from stealing cookies and
doing something bad. However, that attacker could always create JavaScript to do
equally bad actions without stealing cookies.
Security attributes are concatenated to the cookies like this:
CookieName1=CookieValue1; domain=.y.z.com; path=/a;
CookieName2=CookieValue2; domain=x.
Pages:
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95