Hypertext Transfer Protocol (HTTP) cookies are an important part of trust on the web. Users often trade their login credentials for a cookie, which is then used to authenticate subsequent requests. Cookies are valuable to attackers: passwords can be fortified by two-factor authentication and “new login location detected” emails, but session cookies typically bypass these measures.
When a user authenticates to a website, the user may be given a token. The token can then be presented to the web server by the user along with subsequent requests to prove the identity of the user. The token usually takes the form of a number, called a session identifier (ID), stored in a cookie. A cookie is generally a text file or database entry. A malicious third party, using various means, can steal the cookie data and impersonate the user for as long as the cookie is valid. Cookies often remain valid for extended periods of time, on the order of weeks in some cases.
Malicious third parties may steal cookies in two ways: at rest and in transit. To steal a cookie at rest (i.e., while the cookie is stored in memory), an attacker steals the cookie from the user's computing device. This can be a result of a browser vulnerability or through direct access to the computing device. To steal a cookie in transit, an attacker must generally intercept the traffic between the user and server. Cookies are usually transmitted over secure channels, wherein the cookies are encrypted. To steal a cookie in transit, an attacker needs to generally compromise the encryption scheme.