Cookie Attack Prevention

Protecting cookies from being attacked is of extreme important, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information.

There are several countermeasures to prevent cookies from being attacked.

An application can use SSL to create a secure communication channel and only pass the authentication cookie over an HTTPS connection. Attackers are thus unable to decipher the contents in the transferred cookies.
Expire sessions appropriately, including all cookies and session tokens, to reduce the likelihood of being attacked.
Prevent cross-site scripting (XSS) which causes arbitrary code to run in a user's browser and expose his cookies.
Validate cookie data and detect if they are altered.

Prado implements a cookie validation scheme. It associates cookie data with the target remote host address and user agent. HMAC check is performed to ensure that cookie data is not altered and is sent from the expected source.

Cookie validation is enabled by default. To obtain validated cookie data, retrieve them from the Cookies collection of THttpRequest by using the following PHP statements,

foreach($this->Request->Cookies as $cookie) // $cookie is of type THttpCookie

To send cookie data encoded with validation information, create new THttpCookie objects and add them to the Cookies collection of THttpResponse,

$cookie=new THttpCookie($name,$value); $this->Response->Cookies[]=$cookie;