0
votes

The MDN docs on HTTP cookies state:

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can't offer real protection.

HTTPS requests have their request bodies and all of their headers encrypted with TLS, including the Set-Cookie: response header and the Cookie: request header. This should prevent third parties from reading or tampering with the cookie values.

So why are cookies "inherently insecure"? (Perhaps Mozilla is thinking of someone with access to the user's computer being able to inspect their cookies?)

1

1 Answers

2
votes

Why are cookies "inherently insecure"?

The biggest problem of cookie is: it is stored in user's computer, which leads to many possibilities. The server lost control of the cookie's privacy once it is sent to client. As the cookie data is stored in user's computer, the data can be leaked when:

  • Vulnerability in operating system is exploited by attacker.
  • Vulnerability in user-agent is exploited by attacker.
  • Browser extension can get permission to read cookies (e.g. Chrome). Yes, a notification will be displayed to user, but a lot of people just ignore the alert and click "Yes".
  • Cookie can be inspected in browser dev tool, by another people.
  • More...

For secure flag, if you send sensitive information in secure cookie to browser, there are still security concerns:

  • As long as httpOnly flag is not set, all malicious script can read that cookie, and send the information to any server.
  • If domain setting is not correct, you may leak that sensitive cookie to some interfaces. For example, if the secure cookie's domain is /, then all backend API would receive the sensitive data, which may not be what you want.