Cookie Path Best Practice
by Martin O'Neal - Technical Director of Corsaire - Sunday, 27 June 2004
Cookies provide a method for creating a stateful HTTP session and their recommended use is formally defined within RFC2965 and BCP44.

Although they are used for many purposes, they are often used to maintain a Session ID (SID), through which an individual user can be identified throughout their interaction with the site. For a site that requires authentication, this SID is typically passed to the user after they have authenticated and effectively maintains the authentication state. If an attacker can use a mechanism (such as sniffing or cross site scripting) to gain access to the SID, then potentially they can incorporate it within their own session to successfully assume the users identity. The cookie specifications provide arguments for restricting the domain and path for which the user agent (browser) will supply the cookie. Both of these should be matched by the request before the user agent sends the cookie data to the server.

It is common for the path argument to be specified as the root of the origin server; a practise that can expose the application cookies to unnecessary additional scrutiny. It is worth noting however, that whilst the various “same origin” security issues still afflict the browser vendors, the specification of the cookie path argument is somewhat of a moot point.

Download the paper in PDF format here.


Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Thu, Oct 30th