Talk:Testing for cookies attributes (OWASP-SM-002)

Reviewer Note
https://www.owasp.org/index.php/User:Rick.mitchell#.22and.2For.22_Explanation Rick.mitchell 10:33, 22 July 2008 (EDT)

Re: Section Title
"Testing for cookies attributes"

Something is wrong with this title. One of the following should be used: Testing for cookies' attributes (Multiple attributes belonging to multiple cookies) Testing for cookie attributes (Multiple attributes per cookie) Testing for cookie's attributes (Multiple attributes belonging to a cookie) Rick.mitchell 10:05, 22 July 2008 (EDT)

Domain attribute
There's an error in the Domain attribute explanation: "For example, if a cookie is set by an application at app.mydomain.com with no domain attribute set, then the cookie would be resubmitted for all subsequent requests for app.mydomain.com and its subdomains (such as hacker.app.mydomain.com)"

That's not correct. If the cookie set by an application at app.mydomain.com has no domain attribute set, then the cookie will be -only- submitted to app.mydomain.com and NOT to subdomains such as hacker.app.mydomain.com. Also, if you set the attribute to ".app.domain.com" the cookie WILL be submitted to subdomains.

In conclusion, it's more restrictive/secure if you leave the domain attribute unset.

Guillermo Caminer