Talk:Testing for cookies attributes (OWASP-SM-002)

Revision as of 11:33, 27 April 2012 by Guillermo Caminer (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Reviewer Note Rick.mitchell 10:33, 22 July 2008 (EDT)

Re: Section Title

"Testing for cookies attributes"

Something is wrong with this title. One of the following should be used:
Testing for cookies' attributes
(Multiple attributes belonging to multiple cookies)
Testing for cookie attributes
(Multiple attributes per cookie)
Testing for cookie's attributes
(Multiple attributes belonging to a cookie) Rick.mitchell 10:05, 22 July 2008 (EDT)

Domain attribute

There's an error in the Domain attribute explanation: "For example, if a cookie is set by an application at with no domain attribute set, then the cookie would be resubmitted for all subsequent requests for and its subdomains (such as"

That's not correct. If the cookie set by an application at has no domain attribute set, then the cookie will be -only- submitted to and NOT to subdomains such as Also, if you set the attribute to "" the cookie WILL be submitted to subdomains.

In conclusion, it's more restrictive/secure if you leave the domain attribute unset.

Guillermo Caminer