Monday, February 20, 2012

The important "expires" attribute of Set-Cookie

The Established Assumption

It has been widely known about the "expires" attribute of Set-Cookie HTTP Response header in the following way. 

Taken from OWASP Testing Guide:
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
*expires - This attribute is used to set persistent cookies, since the cookie does not expire until the set date is exceeded.  This persistent cookie will be used by this browser session and subsequent sessions until the cookie expires.  Once the expiration date has exceeded, the browser will delete the cookie.  Alternatively, if this attribute is not set, then the cookie is only valid in the current browser session and the cookie will be deleted when the session ends. 

The Truth 

Although setting without "expires" attribute is acceptable at first sight because of the browser's automatic cookie clean-up management, the cookie will stay active until the user manually closes the whole browser window, i.e. the browser process. It is worthy to note that the cookie will not be deleted even if the user just closes the browser tab. In the meantime, the cookie may be cached by intermediate caching proxy servers. Relying on external factors for the application security often fails without notice. It is the best practice that the application should manually set the "expires" attribute to the session cookie. Alternatively, if the application does not set the attribute, the application does not seem to have a defined session expiration time-out, which is a failure in secure session management.


Useful References

http://blog.isc2.org/isc2_blog/2008/09/proxy-caches-ar.html
http://www.slideshare.net/TimBass/OWASPTAIPEIThailandTBass
   

No comments:

Post a Comment