Idea ID: 2817793

APM Security Misconfiguration: Cookie scoped to parent domain

Status : Waiting for Votes
Waiting for Votes
See status update history
11 months ago

Dear Team,

It is observed that the cookies were issued by the application and is scoped to a parent of the issuing domain.


A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise


Thanks & Regards,

Vijay Ninave.