ABSTRACT

Storing sensitive data in a persistent cookie can lead to a breach of confidentiality or account compromise.

EXPLANATION

Most Web programming environments default to creating non-persistent cookies. These cookies reside only in browser memory (they are not written to disk) and are lost when the browser is closed. Programmers can specify that cookies be persisted across browser sessions until some future date. Such cookies are written to disk and survive across browser sessions and computer restarts.

If private information is stored in persistent cookies, attackers have a larger time window in which to steal this data - especially since persistent cookies are often set to expire in the distant future. Persistent cookies are often used to profile users as they interact with a site. Depending on what is done with this tracking data, it is possible to use persistent cookies to violate users' privacy.


Example: The following code sets a cookie to expire in 10 years.


Cookie cookie = new Cookie("emailCookie", email);
cookie.setMaxAge(60*60*24*365*10);

REFERENCES

[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage

[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3210.1 CAT II

[5] Class Cookie Sun Microsystems

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 539

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage

[8] Standards Mapping - FIPS200 - (FISMA) MP

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.4, Requirement 6.5.3

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.4, Requirement 6.5.8