- Do not store sensitive information in cookies
- If sensitive information must be stored in cookies, make it extremely difficult for a user to successfully modify it
- Validate all cookie values to ensure that they are well-formed and correct
First of all, cookies are communicated as part of the HTTP header traffic being passed back and forth between the Web server and the Web browser. This means there is no special status afforded to cookies that guarantees their values won't be changed in the time period between when the Web application sets them and when they are returned by the browser. Cookies are just "bits on the wire" and malicious users with a Web proxy tool are able to control the existence and value of cookies.
For this reason, sensitive information should not be stored in cookies and security-relevant decisions in code should never be made based on the values of cookies. If a Web application uses few or no cookies, and if these cookie values are only used for non-sensitive decision making then the impact of modified cookies will be decreased or eliminated.
If sensitive information must be stored in cookie values, this information should be encrypted using an industry-standard, well-tested algorithm such as AES. By encrypting the data, if a malicious user attempts to modify the value, the decryption process will fail.
Unfortunately, the ASP.NET platform does not really provide any platform-specific tools to help foil cookie poisoning attacks. The ASP.NET validation framework - very useful for validating Web control values - does not apply to cookies. However, the regular expression support in .NET can be a useful tool for validating expressions against positive criteria. As with most application security issues, it is up to the developer to make good design and coding decisions. This is the root of any good input validation strategy.
This was first published in August 2006