Security Advisories

Trustwave Press Releases

« SpiderLabs Radio: January 23, 2014 | Main | Introducing ModSecurity Status Reporting »

24 January 2014


We are looking into options for adding hmac protection to Cookie data. The trick here is that the data leaving the web app in the Set-Cookie response header is not exactly the same as the data returned in request Cookie headers.

Look at this example Set-Cookie from Google -

Set-Cookie: PREF=ID=45f40e8097a0ef03:FF=0:TM=1391003789:LM=1391003789:S=dHIbLYQBaCTU01tL; expires=Fri, 29-Jan-2016 13:56:29 GMT; path=/;

Out of this data, only the "PREF" Cookie data would be sent back in subsequent requests. The expires, path and domain Set-Cookie elements instruct the browser what to do with the Cookie data but it is not included within the response. The end result is that we can not simply hash the entire Set-Cookie header like we can do with HTML elements. We would need to only hash the first Cookie data section. This is where we are researching.

Excellent and illustrative article, thanks.

I am guessing that is possible to add a HMAC to cookie variables. Any pointers on how?

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Your Information

(Name is required. Email address will not be displayed with the comment.)