Deep DivesCookies & Session Integrity

Cookies & Session Integrity

One-line relationship: three cookie flags do most of the work behind two separate defenses covered elsewhere — CSRF mitigation and token-theft resistance. This page is the reference for what each flag actually does.

The three flags

FlagWhat it doesWhat it blunts
SecureCookie is only ever sent over HTTPS, never plaintext HTTPNetwork eavesdropping, downgrade attacks
HttpOnlyCookie is invisible to JavaScript (document.cookie can’t read it)Token/session theft via a successful XSS injection
SameSiteControls whether the cookie is attached on a cross-site request (Strict, Lax, or None)CSRF — the browser simply doesn’t send the cookie on the forged request

None of these is optional on a banking session cookie. The common gap in practice is HttpOnly being skipped because some client-side code “needs” to read the session value — that need is almost always better served by a separate, non-sensitive flag the JS layer can read, leaving the actual session token opaque to the DOM entirely.

Session fixation vs session hijacking

Two different attacks that both end with an attacker in possession of a valid session, worth not conflating:

  • Fixation — the attacker sets or predicts the session identifier before the victim logs in (e.g. via a URL parameter the app naively accepts), then uses that same ID once the victim authenticates. Defense: always issue a fresh session ID on login, never accept one supplied by the client pre-auth.
  • Hijacking — the attacker steals an already-authenticated session ID after the fact — via XSS reading a non-HttpOnly cookie, a network sniff on a non-Secure cookie, or a leaked log. Defense: the three flags above, plus short session lifetimes and re-authentication for sensitive actions.

What to take to the client

This is the one page in the portal that’s pure configuration, not architecture — there’s no design trade-off in setting all three flags on a banking session cookie. If an ASVS or pentest review finds a session cookie missing any of Secure, HttpOnly, or an explicit SameSite, that’s a same-day fix, not a roadmap item.