Forum Discussion
Sonne_133164
Dec 21, 2017Nimbostratus
question is whether there is anything sensitive within the cookie, why you need to encrypt cookie? using https against mitm isn't enough? is client storing this cookie for a longer period and you expect someone will access it, tamper it, etc...?
for the best practices:
- limit the amount of sensitive information stored in the cookie.
- limit the subdomains and paths to prevent interception by another application.
- enforce SSL so the cookie isn’t sent in cleartext.
- make the cookie HttpOnly
perhaps you can read more at https://www.owasp.org/index.php/Session_Management_Cheat_SheetCookies