Skip to content

Forms Authentication - Weak Cookie Protection

What does this mean ?

The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. Web Cookies are often a key attack vector for malicious users and the application should always take due diligence to protect cookies.

What can happen ?

Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value.

Recommendation

  • Avoid using cookie data for a security-related decision.
  • Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.
  • Add integrity checks to detect tampering.
  • Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks.

References