Fundamental security component in web applications
Enables web applications to uniquely identify a user across a number of different actions and requests, while keeping the state of the data generated by the user and ensuring it is assigned to that user
Cookie
Text file used to store information about a user when they visit a website
Cookies must be protected because they contain client information that is being transmitted across the internet
Session Cookies
Non-persistent, reside in memory, and are deleted when the browser instance is closed
Persistent Cookies
Cookies that are stored in the browser cache until they are deleted by the user or pass a defined expiration date
Cookies should be encrypted if they store confidential information
Session Hijacking
A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host’s IP address
Session hijacking attacks can occur through the theft or modification of cookies
Session Prediction Attacks
A type of spoofing attack where the attacker attempts to predict the session token to hijack a session
A session token must be generated using a non-predictable algorithm and it must not reveal any information about the session client
Cookie Poisoning
Modifies the contents of a cookie after it has been generated and sent by the web service to the client’s browser so that the newly modified cookie can be used to exploit vulnerabilities in the web app