In this recipe, we just checked some values of a cookie. Although not as spectacular as others, it is important to check the cookie configuration in every penetration test we perform; an incorrectly configured session cookie opens the door to a session hijacking attack and the misuse of a trusted user's account.

If a cookie doesn't have the HTTPOnly flag enabled, it can be read by scripting, which means that if there is a Cross-Site Scripting (XSS) vulnerability, which we will see in later chapters, the attacker will be able to get the identifier of a valid session and use that value to impersonate the real user in the application.

The Secure attribute, or Send For Encrypted Connections Only in Cookies Manager, tells the browser to only send or receive this cookie over encrypted channels. This means sending only via an HTTPS connection. If this flag is not set, an attacker could perform a man-in-the-middle (MiTM) attack and force the communication to be unencrypted, exposing the session cookie in clear text, which takes us again to a scenario where the attacker can impersonate a valid user by having their session identifier.