Home
Independent
Programming
  1. Software Standards Specification
  2. Software Requirements Definition
  3. Software Best Practices
  4. Input Validation
  5. Output Validation
  6. Cookie Requirements
  7. Access Failure Error Checking
  8. Buffer Overflow
  9. Code Structure
  10. Software Functions
  11. Software Modules
  12. Requirements for Variables
  13. Software Code Comment Requirements
  14. Quality Code Requirements
  15. Software Code Review
  16. Software Code Testing Requirements
  17. Software Change Control

    Security Best Practices

  18. Secure Functional Requirements
  19. Account Creation
  20. Change Password
  21. Forgot Password
  22. Personal Question
  23. Contact Webmaster
  24. CAPTCHA Tests
  25. Answer Verification
Programming
Independent
Home

Cookie Requirements

This page defines some restrictions for cookies which should help reduce the chance that attackers can get useful information from user's browsers.

  • No confidential or sensitive information may be stored in a cookie.
  • Use DOMAIN and PATH attributes to restrict cookie access.
  • Use the HTTPOnly attribute to increase security of Internet Explorer and other browsers in the future - Indicates that the cookie can only be sent to the server that it originated from. Set this value to true so the cookie can only be sent to the server it originated from.
  • Proper setting of cookie parameters can help prevent cross site scripting where an attacker posts embedded javascript on someone else's site and uses the javascript on that site to send user login cookies to his site. Set this flag to true if you want the cookie to only be sent in encrypted form using the HTTPS protocol.

    Syntax of PHP setcookie function:
    setcookie(<name>,<value>,<expiration time>,<path>,<domain>,<secure>,<httponly>);
    The domain should be set to name of the domain it will be used on.
    The "secure" flag is used to set the cookie to force the cookie to be sent only when it is encrypted using the HTTPS protocol.
    The "httponly" flag is used to prevent scripting languages from accessing the cookie. This increases security since the scripting language cannot send the cooker to an attacker.

    Example:
    setcookie("test",10,mktime(0,0,0,$month,1,$year),"/","www.comptechdoc.org",false,true);

    This example will require the cookie to only be sent from the server it originated from, but does not require that the cookie be sent over HTTPS.