When implementing penetration testing on web applications, we should pay attention to certain characteristics in the cookies to verify that they are secure:
- Http Only: If a cookie has this flag set, then it will not be accessible through scripting code; this means that the cookie values can only be altered from the server. We can still use the browser tools or a plugin to change them, but not a script within the page.
- Secure: The cookie won't be transferred through unencrypted channels; if a site uses HTTPS and this flag is set in the cookie, the browser won't take or send the cookie when the requests are done through HTTP.
- Expires: If the expiration date is set to the future, it means that the cookie is stored in a local file and will be kept even after the browser closes. An attacker could get this cookie directly from the file and perhaps steal a valid user's session.