Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-
When an HTTP protocol is used for communication between client and server, the data traffic is sent in plaintext. An HHTP allows the attacker to see/modify the traffic using a Man-In-The-Middle attack (MITM). HTTPS is a secure version of HTTP. This protocol uses SSL/TLS to protect the data in the application layer. HTTPS is used for better authentication and data integrity. A secure flag is set by the application server while sending a new cookie to the user using an HTTP Response. The secure flag is used to prevent cookies from being observed and manipulated by an unauthorized party or parties. This is because the cookie is sent as a normal text. A browser will not send a cookie with the secure flag that is sent over an unencrypted HTTP request. That is, by setting the secure flag the browser will prevent/stop the transmission of a cookie over an unencrypted channel.
Using this vulnerability, an attacker can:-
Beagle recommends the following fixes:-
Add the following code In the
add requireSSL=”true” to the form’s element as well.
In PHP, this can be implemented in 3 ways
Method - 1: By using the ini_set function
Method - 2: By using session_set_cookie_params function:
Method - 3: By using the setcookie function