[WEB SECURITY] secure cookie on a public site

Santhosh Kumar K santoshkumar at temenos.com
Tue Mar 22 00:22:13 EDT 2011


It's always a good security practice to set cookies with secure attribute when HTTPS is used. How can you confirm there is no confidential information in the cookie. It might not contain now but web app developers might include some in later stages. Always Prevention is better then Cure.

Santhosh Kumar

From: websecurity-bounces at lists.webappsec.org [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Pankaj Upadhyay
Sent: Monday, March 21, 2011 7:23 PM
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] secure cookie on a public site

If a site is running on https channel but the content is not confidential and the site uses a few cookies which are not secure and do not contain any confidential/sensitive data, what is the risk associated here? As i've read, cookies should be secure but i am not able to justify it to myself. Could anyone please help?

Pankaj Upadhyay

The information in this e-mail and any attachments is confidential and may be legally privileged. 
It is intended solely for the addressee or addressees. Any use or disclosure of the contents 
of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. 
If you have received this e-mail in error please notify the sender. 
Please note that any views or opinions presented in this e-mail are solely those of the author and 
do not necessarily represent those of TEMENOS. 
We recommend that you check this e-mail and any attachments against viruses. 
TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110322/ef6cc98e/attachment-0003.html>

More information about the websecurity mailing list