HTTPS & Cookies: Still Vulnerable?

TL;DR

Yes, cookies without the Secure flag can still be stolen even when your website is served over HTTPS. This happens because of attacks like man-in-the-middle (MITM) attacks and cross-site scripting (XSS). Always set the Secure flag on all cookies to protect user data.

Understanding the Problem

HTTPS encrypts data in transit between your website and a user’s browser. However, it doesn’t automatically protect cookies from being intercepted or stolen if they aren’t configured correctly. The Secure flag tells the browser to only send the cookie over HTTPS connections.

Why Cookies Without the Secure Flag are Vulnerable

1. Man-in-the-Middle (MITM) Attacks: If someone intercepts the connection between a user and your website (e.g., on public Wi-Fi), they can steal cookies if they aren’t marked as Secure, even if HTTPS is being used for the initial connection.
2. Cross-Site Scripting (XSS): If an attacker injects malicious JavaScript into your website (through a vulnerability like XSS), that script can access and steal cookies, regardless of whether you’re using HTTPS. The HttpOnly flag helps prevent this, but it doesn’t stop the cookie from being sent over insecure connections if the Secure flag isn’t set.
3. Downgrade Attacks: While less common with modern browsers, an attacker could attempt to force a downgrade to HTTP, and then steal cookies that aren’t protected by the Secure flag.

How to Protect Your Cookies

The best way to protect your cookies is to always set the Secure flag when creating them.

Step-by-Step Guide

1. Check Your Cookie Settings: Review how you’re setting cookies in your application code.
2. Set the Secure Flag: When setting a cookie, include the Secure flag. The exact method depends on your programming language and framework.
   • PHP:

     setcookie('my_cookie', 'value', ['secure' => true]);

   • JavaScript (using document.cookie): While you can’t directly set the Secure flag in JavaScript, ensure your server-side code sets it correctly when initially creating the cookie.

     Note: Setting cookies with the secure flag from client-side Javascript is generally not recommended due to security concerns.

   • Python (Flask):

     response = make_response('Cookie set!')
     response.set_cookie('my_cookie', 'value', secure=True)

   • Node.js (Express):

     res.cookie('my_cookie', 'value', { secure: true });

3. Set the HttpOnly Flag: Also set the HttpOnly flag to prevent JavaScript from accessing the cookie.
   • PHP:

     setcookie('my_cookie', 'value', ['secure' => true, 'httponly' => true]);

   • Node.js (Express):

     res.cookie('my_cookie', 'value', { secure: true, httpOnly: true });

4. Test Your Cookie Settings: Use your browser’s developer tools to inspect the cookies and verify that the Secure flag is set correctly. Open Developer Tools (usually F12), go to the Application/Storage tab, then Cookies. Look for the cookie you created and check its attributes.
5. Ensure Full HTTPS Coverage: Make sure your entire website is served over HTTPS, including all pages and resources.

Important Considerations

• Subdomains: If your cookies are used across subdomains, ensure the domain attribute is set correctly to allow access from those subdomains.
• Cookie Scope: Be mindful of the cookie’s scope (domain and path) to avoid unintended exposure.