Cookie Security - Myths and Misconceptions

Explore the intricacies of cookie security in this comprehensive 49-minute conference talk from AppSecUSA 2017. Delve into common myths and misconceptions surrounding cookie security, examining lesser-known facts about well-known cookie attributes. Learn why the 'Secure' attribute doesn't guarantee protection against active man-in-the-middle attacks, how JavaScript can manipulate 'HttpOnly' cookies, and the potential risks of setting the 'Domain' attribute. Discover recent improvements in cookie security implemented by modern browsers, including 'Strict secure cookie', 'Cookie prefixes', and the 'SameSite' attribute. Gain a solid understanding of cookie security pitfalls, associated risks, and how to leverage modern security specifications to enhance cookie protection in web applications. The talk covers cookie basics, lifetime, scope, attributes (Secure, HttpOnly, Path, Domain), and modern protections, concluding with a discussion on optimal cookie configuration.