This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Testing for cookies attributes (OTG-SESS-002)"
Line 14: | Line 14: | ||
Testing for cookie's attributes<br> | Testing for cookie's attributes<br> | ||
(Multiple attributes belonging to a cookie) [[User:Rick.mitchell|Rick.mitchell]] 10:05, 22 July 2008 (EDT) | (Multiple attributes belonging to a cookie) [[User:Rick.mitchell|Rick.mitchell]] 10:05, 22 July 2008 (EDT) | ||
+ | |||
+ | == Domain attribute == | ||
+ | There's an error in the Domain attribute explanation: | ||
+ | "For example, if a cookie is set by an application at app.mydomain.com with no domain attribute set, then the cookie would be resubmitted for all subsequent requests for app.mydomain.com and its subdomains (such as hacker.app.mydomain.com)" | ||
+ | |||
+ | That's not correct. If the cookie set by an application at app.mydomain.com has no domain attribute set, then the cookie will be -only- submitted to app.mydomain.com and NOT to subdomains such as hacker.app.mydomain.com. Also, if you set the attribute to ".app.domain.com" the cookie WILL be submitted to subdomains. | ||
+ | |||
+ | In conclusion, it's more restrictive/secure if you leave the domain attribute unset. |
Revision as of 16:33, 27 April 2012
Reviewer Note
https://www.owasp.org/index.php/User:Rick.mitchell#.22and.2For.22_Explanation Rick.mitchell 10:33, 22 July 2008 (EDT)
Re: Section Title
"Testing for cookies attributes"
Something is wrong with this title. One of the following should be used:
Testing for cookies' attributes
(Multiple attributes belonging to multiple cookies)
Testing for cookie attributes
(Multiple attributes per cookie)
Testing for cookie's attributes
(Multiple attributes belonging to a cookie) Rick.mitchell 10:05, 22 July 2008 (EDT)
Domain attribute
There's an error in the Domain attribute explanation: "For example, if a cookie is set by an application at app.mydomain.com with no domain attribute set, then the cookie would be resubmitted for all subsequent requests for app.mydomain.com and its subdomains (such as hacker.app.mydomain.com)"
That's not correct. If the cookie set by an application at app.mydomain.com has no domain attribute set, then the cookie will be -only- submitted to app.mydomain.com and NOT to subdomains such as hacker.app.mydomain.com. Also, if you set the attribute to ".app.domain.com" the cookie WILL be submitted to subdomains.
In conclusion, it's more restrictive/secure if you leave the domain attribute unset.