This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Testing for cookies attributes (OTG-SESS-002)"

From OWASP
Jump to: navigation, search
Line 14: Line 14:
 
Testing for cookie's attributes<br>
 
Testing for cookie's attributes<br>
 
(Multiple attributes belonging to a cookie) [[User:Rick.mitchell|Rick.mitchell]] 10:05, 22 July 2008 (EDT)
 
(Multiple attributes belonging to a cookie) [[User:Rick.mitchell|Rick.mitchell]] 10:05, 22 July 2008 (EDT)
 +
 +
== Domain attribute ==
 +
There's an error in the Domain attribute explanation:
 +
"For example, if a cookie is set by an application at app.mydomain.com with no domain attribute set, then the cookie would be resubmitted for all subsequent requests for app.mydomain.com and its subdomains (such as hacker.app.mydomain.com)"
 +
 +
That's not correct. If the cookie set by an application at app.mydomain.com has no domain attribute set, then the cookie will be -only- submitted to app.mydomain.com and NOT to subdomains such as hacker.app.mydomain.com. Also, if you set the attribute to ".app.domain.com" the cookie WILL be submitted to subdomains.
 +
 +
In conclusion, it's more restrictive/secure if you leave the domain attribute unset.

Revision as of 16:33, 27 April 2012

Reviewer Note

https://www.owasp.org/index.php/User:Rick.mitchell#.22and.2For.22_Explanation Rick.mitchell 10:33, 22 July 2008 (EDT)

Re: Section Title

"Testing for cookies attributes"

Something is wrong with this title. One of the following should be used:
Testing for cookies' attributes
(Multiple attributes belonging to multiple cookies)
Testing for cookie attributes
(Multiple attributes per cookie)
Testing for cookie's attributes
(Multiple attributes belonging to a cookie) Rick.mitchell 10:05, 22 July 2008 (EDT)

Domain attribute

There's an error in the Domain attribute explanation: "For example, if a cookie is set by an application at app.mydomain.com with no domain attribute set, then the cookie would be resubmitted for all subsequent requests for app.mydomain.com and its subdomains (such as hacker.app.mydomain.com)"

That's not correct. If the cookie set by an application at app.mydomain.com has no domain attribute set, then the cookie will be -only- submitted to app.mydomain.com and NOT to subdomains such as hacker.app.mydomain.com. Also, if you set the attribute to ".app.domain.com" the cookie WILL be submitted to subdomains.

In conclusion, it's more restrictive/secure if you leave the domain attribute unset.