What are cookies?
Cookies, also called HTTP cookies, are small bits of data stored as text files on a browser. Websites use those small bits of data to keep track of users and enable user-specific features. They enable core website functionality, such as e-commerce shopping carts, and are also used for more controversial purposes, such as tracking user activity. Cookies are a necessary part of the way the web works as well as a source of privacy concerns and security risks. For this reason, casual web users and web developers have good reason to better understand how these tiny bits of data work.
Why cookies are so important?
Cookies remain a critical component of online world. And while companies are now obliged to be more transparent about cookie collection and consumption, another problem remains. If attackers can get their hands on post-MFA cookies, they may be able to bypass further attempts and gain full access to enterprise networks. This is the crux of cookie hijacking, also known as session hijacking.
In practice, cookie hijacking relies on the stateless nature of HTTP. This means it naturally separates each operational request — such as users looking for access to a corporate network, bank account, or e-commerce account — into separate processes. As a result, web-based apps can’t ‘remember’ users. Using only HTTP would be extremely frustrating, with login and password details required for every task.
What Are Progressive Web Apps?
Progressive Web Apps (PWA) combine new technologies with established best practices for creating reliable, accessible, and engaging experiences. They give users a native-like experience with a user-friendly opt-in installation flow.
To keep cookies out of the hands of cyber-attackers, it’s now critical for companies to dish up defenses. These can include:
HTTPS Cookies Only
While many enterprises now use HTTPS on login pages to prevent potential eavesdropping attacks, this isn’t enough to prevent cookie hijacking. Using HTTPS across all websites, services and PWAs instead helps expand protection to session keys and reduce the risk of cookie-jacking attacks. Using the secure cookie flag on any application server, which tells the browser to only send cookie data over HTTPS, also helps prevent plaintext eavesdropping of session details.
Improved Storage Architecture
To reduce the time between request and response and improve the performance of PWAs, the use of HTML web storage is common. The problem? HTML cookie storage streamlines the attack process for cookie stealers looking to copy session access, while web storage at scale remains vulnerable to cross-site scripting (XSS) attacks. To limit the chance of cookie compromise, we recommend skipping web storage in favor of secure, local solutions.
Extensible IAM Services
Comprehensive IAM services. Much like MFA, these tools aren’t enough in isolation to defend applications at scale. When layered with complementary solutions such as RASP and HTTPS, however, IAM solutions can help mitigate overall risk.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.