State management

Many applications involve passing state between pages or (RPC) requests. A developer needs to be aware when state is passed in such a way that the client can see or modify it (eg. URL variables, cookies, REST parameters) and take proper precautions to prevent leakage of data or unauthorized access to a website or system.

WebHare offers some APIs to help encrypt these values when they are passed 'through' a client but even with encryption you should be careful of 'replay' attacks where the client reuses an encrypted value without having to actually understand it - you might not be able to read the session cookie you stole from a sysop, but it may still provide you with the same access if you can use it.

Cookies and (URL) variables

Cookies should have the httponly and secure flags whenever possible (%UpdateWebCookie already sets 'httponly' by default). Avoid Javascript-readable cookies even if they do not contain any sensitive data at all - it will save you from having to explain their harmlessness during a security audit.

You can ask UpdateWebCookie for an encrypted cookie (which can be read usingĀ  %GetDecryptedWebCookie) but you will still need to be careful about replay attacks by whoever holds their value.


Further tips