Home/ Questions/Q 8781129
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T20:13:18+00:00

I’m using SSL to transmit all data. HTTP is completely disabled. Short of malware,

  • 0

I’m using SSL to transmit all data. HTTP is completely disabled. Short of malware, or accessing someones physical machine (both of which are very hard to prevent from server side), I don’t see how an attacker could steal a login cookie.

Thus, is it okay to not worry about stealing a login cookie?

The complexity to properly implement a non-stealable login cookie, that still allows users to have sessions across different browsers and different machines is higher than the material it’s safe-guarding.

Thus, I believe it’s okay to not safe guard against copy and pasting cookie data from machine to machine.

Is this a valid trade off, or am I forgetting something critical here.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You do need to ensure that you have the Secure flag set on your cookie, because you can’t generally prevent people from attempting to access your site over non-SSL. Otherwise, I believe you should be OK.

    That said, I’d suggest taking reasonable precautions. For example:

    • Never include any data in cookies or on the wire that could be used to derive the user’s password.
    • If possible, set the HttpOnly flag on sensitive cookies so that any potentially-untrusted JavaScript can’t steal them.
    • 0