Setting Cookie Path Attribute
Mobile applications and their backend web applications communicate with each other over a network. Both entities verify each other’s identity before engaging in dialogue. When a mobile app contacts its server for the first time, the server creates a cookie at the client-side. The cookie contains information that helps the server establish the mobile app’s identity. A cookie has many fields to it. One of them is ‘Path’. Here, a path to the folder in which the web application is stored at the server-side is mentioned. The server sets this attribute. The mobile application would respond to dialogue if it initiates from a location which falls under the path. The folder structure inside the server typically is such that one folder is at the top of the hierarchy. This folder is called ‘root’. Many sub-folders may be present inside a root directory. Each sub-folder would contain the functionality of one web app. So, multiple apps stored on a server share a common ‘root’. Many a time, servers set the path attribute to their root folder only, not specifying the entire path till the application’s functionality. This practice may cause harm. Let us have an example to understand how.
The path attribute is set to the server’s root directory in a mobile application’s cookie. The server has multiple web apps stored inside the root directory, each one having its sub-directory. One of the web applications gets attacked by an intruder, who gains complete control over it. Using the web app, the attacker initiates communication with the mobile application. The mobile app responds, for its cookie’s path attribute is set till the server’s root, only. Mobile apps (clients) send a cookie along with each message. This way, the attacker gets the cookie and obtains login credentials stored within. He uses the credentials and accesses the user account, subsequently stealing sensitive data stored within.
The solution is to set cookies’ path attribute to the folder that stores the web application functionality. This way, it is ensured that the mobile app would respond and share cookie only if the request is coming from its web application.