Cookie Security Attributes

Modern cookie security relies on multiple attributes working together to prevent various attack vectors:

Secure Attribute: Ensures cookies are only transmitted over HTTPS

Set-Cookie: sessionId=abc123; Secure

HttpOnly Attribute: Prevents JavaScript access to cookies

Set-Cookie: sessionId=abc123; HttpOnly

SameSite Attribute: Controls cross-site cookie behavior

Set-Cookie: sessionId=abc123; SameSite=Strict
Set-Cookie: sessionId=abc123; SameSite=Lax
Set-Cookie: sessionId=abc123; SameSite=None; Secure

Complete Secure Cookie Implementation

// Node.js/Express secure session configuration
const session = require('express-session');
const MongoStore = require('connect-mongo');

app.use(session({
    name: 'sessionId', // Don't use default names
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    store: MongoStore.create({
        mongoUrl: process.env.MONGODB_URI,
        touchAfter: 24 * 3600 // Lazy session update
    }),
    cookie: {
        secure: process.env.NODE_ENV === 'production', // HTTPS only in production
        httpOnly: true, // Prevent XSS attacks
        maxAge: 1000 * 60 * 60 * 24, // 24 hours
        sameSite: 'strict', // CSRF protection
        domain: process.env.COOKIE_DOMAIN, // Limit cookie scope
        path: '/' // Cookie path restriction
    }
}));

// Additional security headers for authentication
app.use((req, res, next) => {
    // Prevent caching of authenticated pages
    if (req.session && req.session.userId) {
        res.setHeader('Cache-Control', 'private, no-cache, no-store, must-revalidate');
        res.setHeader('Pragma', 'no-cache');
        res.setHeader('Expires', '0');
    }
    
    // Add security headers
    res.setHeader('X-Content-Type-Options', 'nosniff');
    res.setHeader('X-Frame-Options', 'DENY');
    res.setHeader('X-XSS-Protection', '0'); // Disabled in favor of CSP
    res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
    
    next();
});