Cookie Attack Prevention

Protecting cookies from being attacked is of extreme important, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information.

There are several countermeasures to prevent cookies from being attacked.

• An application can use SSL to create a secure communication channel and only pass the authentication cookie over an HTTPS connection. Attackers are thus unable to decipher the contents in the transferred cookies.
• Expire sessions appropriately, including all cookies and session tokens, to reduce the likelihood of being attacked.
• Prevent cross-site scripting (XSS) which causes arbitrary code to run in a user's browser and expose his cookies.
• Validate cookie data and detect if they are altered. By default, Prado validates the cookie data to ensure they are not altered.