Cookies

If you're building a web application, then cookie will plays an important role to secure your application.

What is Cookie?

Cookie (no, not cookie as in a food terms) is a small piece of informations that are stored in a browser.

Cookie becomes usefule since it helps an HTTP request to "remember" the previous interactions (eg. a user signed in). Cookie enables this by essentialy storing an information regarding an interaction (eg. an authentication process) in a secure manner.

How CakeAuth uses cookies?

CakeAuth uses the following (but not limited to) cookies:

Domains & Scope

Each cookies has a Domain flag which indicates who a cookies are sent for and who can use it in a request.

For example:

• when a cookie is set by example.com without specifying a Domain, it is only sent with requests to example.com.
• If the cookie's Domain is explicitly set to example.com, it will also be included in requests to subdomains like sub.example.com.
• However, cookies created by a subdomain (e.g., sub.example.com) will not be sent with requests to the parent domain (example.com).

Restricting Access with HttpOnly

By default, JavaScript can access cookies through document.cookie, which can be convenient but also makes them vulnerable to security threats like Cross-Site Scripting (XSS) attacks.

To mitigate this risk, the HttpOnly flag can be set on a cookie. This prevents client-side scripts from reading it while still allowing the cookie to be included in HTTP requests, improving security.

For example, CakeAuth set the session token (__Secure-session.{session_id}) with this flag on.