An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data stored on the user's computer by the web browser while browsing a website. There are different types of cookies, e.g authentication cookies. It is the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with.

Below are guidelines about how to implement and use cookies and what is allowed according to GDPR and e-Privacy Directive.

OWASP ng Cheat Sheet is focused on providing developers with concentrated guidance on building application logging mechanisms, especially related to security logging.A web session is a sequence of network HTTP request and response transactions associated to the same user. Modern and complex web applications require the retaining of information or status about each user for the duration of multiple requests. Therefore, sessions provide the ability to establish variables – such as access rights and localization settings – which will apply to each and every interaction a user has with the web application for the duration of the session.

Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity. Despite their importance, the regulations governing cookies are split between the GDPR and the ePrivacy Directive.

The goal of this section is to introduce, discuss, and provide language specific mitigation techniques for HttpOnly.

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page.

SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. 

"Cookie Security - Myths and Misconceptions"
David Johansson – OWASP London 30 Nov. 2017

Copyright © 2019-2020 - All Rights Reserved