LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the main disadvantages and attack vectors of cookie-based authentication?

The genuine cookie weakness is the session cookie itself — steal it and you're the user. Separate that from two things people lump in but that aren't cookie problems: the choice of password as the login factor, and the burden of rolling your own account system.

1. The real session-cookie weaknesses (inherent to the model, and they apply no matter how you logged in — password, passkey, SSO, anything):

  • Session hijacking — if an attacker steals the cookie (XSS, sniffing on plain HTTP, a MitM), they are the user, no credential needed. The cookie is a bearer token: whoever holds it is trusted.
  • CSRF — because the browser auto-attaches the cookie to every request to that site, a malicious page can trigger authenticated actions unless you defend with SameSite/CSRF tokens.
  • Session fixation and weak/guessable session IDs.
  • Mitigations: HttpOnly (blocks JavaScript/XSS theft), Secure (HTTPS-only), SameSite (limits CSRF), plus rotating the ID on login and short expiries.

2. Not a cookie weakness — the credential is weak. "Username + password is phishable/reusable/guessable" is true, but it's a property of the password factor, not of cookies. A session cookie issued after a passkey (WebAuthn) login is the very same cookie — so swapping the factor removes the phishing problem while the cookie mechanics are unchanged. Don't blame the cookie for the password's sins.

3. Not a cookie weakness — the implementation burden. "You must build sign-up, password reset, and protect your own hash store" describes rolling your own auth. With a framework this largely disappears: Laravel (Fortify/Breeze/Sanctum), Django, or an external IdP give you the account lifecycle, hashing, and session handling already hardened. You should not hand-roll this — so it's a reason to use good tooling, not an intrinsic flaw of cookie sessions.

Tip: Ask "would this still be true if the user logged in with a passkey and I used a framework?" If yes → it's a real cookie/session issue (hijacking, CSRF). If no → it's really about the password factor or your own code.

Go deeper:

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026