LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three main cookie security attributes, and what does each do?

Secure (HTTPS-only), HttpOnly (no JavaScript access), SameSite (no cross-site sending).

Attribute What it does Attack it mitigates
Secure Cookie is sent only on HTTPS requests Network sniffing — without it the cookie leaks on any HTTP request, e.g. mistyped URL on Wi-Fi
HttpOnly JavaScript on the page cannot read the cookie via document.cookie Cookie theft via stored or reflected XSS — the malicious script is in the page but can't see the cookie
SameSite=Lax / Strict Browser doesn't send the cookie on cross-site requests (third-party <img>, <form>, etc.) CSRF — a malicious site can't trigger authenticated requests against the user's session

Choosing SameSite values:

Value Behaviour When to use
Strict Never sent cross-site, even on top-level navigation Banking — but breaks "follow email link to bank, end up logged out"
Lax (default since Chrome 80) Sent on top-level GET navigations only Sensible default for most session cookies
None Sent on all cross-site requests Required for cross-site embeds (third-party iframes); must be combined with Secure

Modern recommended session cookie:

Set-Cookie: sid=…; HttpOnly; Secure; SameSite=Lax; Path=/

Tip: Setting all three is one line of config in every framework — there is no excuse to ship a session cookie without them. Most pen-test findings on the topic are simple oversights, not architectural problems.

From Quiz: ISF / Session Handling & Login Protocols | Updated: Jul 14, 2026