<com:TContent ID="body" > <h1>Cookie Attack Prevention</h1> <p> Protecting cookies from being attacked is of extreme important, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information. </p> <p> There are several countermeasures to prevent cookies from being attacked. </p> <ul> <li>An application can use SSL to create a secure communication channel and only pass the authentication cookie over an HTTPS connection. Attackers are thus unable to decipher the contents in the transferred cookies.</li> <li>Expire sessions appropriately, including all cookies and session tokens, to reduce the likelihood of being attacked.</li> <li>Prevent <a href="?page=Security.XSS">cross-site scripting (XSS)</a> which causes arbitrary code to run in a user's browser and expose his cookies.</li> <li>Validate cookie data and detect if they are altered.</li> </ul> <p> Prado implements a cookie validation scheme that prevents cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enable. </p> <p> Cookie validation is disabled by default. To enable it, configure the <tt>THttpRequest</tt> module as follows, </p> <com:TTextHighlighter Language="xml" CssClass="source"> <modules> <module id="request" class="THttpRequest" EnableCookieValidation="true" /> </modules> </com:TTextHighlighter> <p> To make use of cookie validation scheme provided by Prado, you also need to retrieve cookies through the <tt>Cookies</tt> collection of <tt>THttpRequest</tt> by using the following PHP statements, </p> <com:TTextHighlighter CssClass="source"> foreach($this->Request->Cookies as $cookie) // $cookie is of type THttpCookie </com:TTextHighlighter> <p> To send cookie data encoded with validation information, create new <tt>THttpCookie</tt> objects and add them to the <tt>Cookies</tt> collection of <tt>THttpResponse</tt>, </p> <com:TTextHighlighter CssClass="source"> $cookie=new THttpCookie($name,$value); $this->Response->Cookies[]=$cookie; </com:TTextHighlighter> </com:TContent>