Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:
Attackers can use widely-available tools to read cookies, sensitive information written by the server will be exposed.
This rule flags code that writes cookies.
You are at risk if you answered yes to this question.
Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer than the user session.
Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the original information will be exposed.
Using cookies only for session IDs doesn't make them secure. Follow OWASP best practices when you configure your cookies.
As a side note, every information read from a cookie should be Sanitized.
// === Built-in NodeJS modules ===
const http = require('http');
const https = require('https');
http.createServer(function(req, res) {
res.setHeader('Set-Cookie', ['type=ninja', 'lang=js']); // Questionable
});
https.createServer(function(req, res) {
res.setHeader('Set-Cookie', ['type=ninja', 'lang=js']); // Questionable
});
// === ExpressJS ===
const express = require('express');
const app = express();
app.use(function(req, res, next) {
res.cookie('name', 'John'); // Questionable
});
// === In browser === // Set cookie document.cookie = "name=John"; // Questionable