1Haz
What are the consequences of cookies, including the session cookie, being stolen?
I have recently been wondering what the consequences would be if an attacker got access to a user’s cookies, including the session cookie, for my web app?
- Could they impersonate said user?
- Could they only access the users browsing history and saved passwords?
- Could they perform a CSFF attack but nothing else?
- Or could they do even more??
If this cookie theft is a serious attack vector, how can I prevent it? Also, to help me prevent it, how does it happen in the first place?
I have seen many potential dupes, Such as:
- XSS for stealing cookies … not anymore?
(regarding the effectiveness of http-only flag on cookies against XSS) - Cookies Stealing
(regarding stealing cookies with MITM attacks) - Can yubikeys prevent cookie stealing?
(regarding the role of HW tokens in cookie protection)
But, I wouldn’t consider my question as a duplicate because I am asking what would happen if this did happen, and how I can stop this now. None of these questions answered my question.