Cookies & Session Integrity
One-line relationship: three cookie flags do most of the work behind two separate defenses covered elsewhere — CSRF mitigation and token-theft resistance. This page is the reference for what each flag actually does.
The three flags
| Flag | What it does | What it blunts |
|---|---|---|
Secure | Cookie is only ever sent over HTTPS, never plaintext HTTP | Network eavesdropping, downgrade attacks |
HttpOnly | Cookie is invisible to JavaScript (document.cookie can’t read it) | Token/session theft via a successful XSS injection |
SameSite | Controls whether the cookie is attached on a cross-site request (Strict, Lax, or None) | CSRF — the browser simply doesn’t send the cookie on the forged request |
None of these is optional on a banking session cookie. The common gap in practice is HttpOnly being skipped because some client-side code “needs” to read the session value — that need is almost always better served by a separate, non-sensitive flag the JS layer can read, leaving the actual session token opaque to the DOM entirely.
Session fixation vs session hijacking
Two different attacks that both end with an attacker in possession of a valid session, worth not conflating:
- Fixation — the attacker sets or predicts the session identifier before the victim logs in (e.g. via a URL parameter the app naively accepts), then uses that same ID once the victim authenticates. Defense: always issue a fresh session ID on login, never accept one supplied by the client pre-auth.
- Hijacking — the attacker steals an already-authenticated session ID after the fact — via XSS reading a non-
HttpOnlycookie, a network sniff on a non-Securecookie, or a leaked log. Defense: the three flags above, plus short session lifetimes and re-authentication for sensitive actions.
What to take to the client
This is the one page in the portal that’s pure configuration, not architecture — there’s no design trade-off in setting all three flags on a banking session cookie. If an ASVS or pentest review finds a session cookie missing any of Secure, HttpOnly, or an explicit SameSite, that’s a same-day fix, not a roadmap item.