Cookies

Documentation Index

Fetch the complete documentation index at: https://docs.esperr.com/llms.txt

Use this file to discover all available pages before exploring further.

​

What are Cookies?

​

Common Cookie Types

​

Session Cookies

• Purpose: Temporary storage during browsing session
• Examples: PHPSESSID, session_id, _session
• Lifetime: Until browser closes
• Security: Critical for authentication

​

Persistent Cookies

• Purpose: Remember users across visits
• Examples: remember_me, user_preferences
• Lifetime: Set expiration date
• Security: Can be convenience vs. security tradeoff

​

Tracking Cookies

• Purpose: Analytics and advertising
• Examples: _ga (Google Analytics), fbp (Facebook)
• Lifetime: Often months or years
• Security: Privacy considerations

​

Security Cookies

• Purpose: CSRF protection, security tokens
• Examples: csrf_token, __Host-session
• Lifetime: Varies by purpose
• Security: Critical for application security

​

How Cookies Work on the Web

1. Server sends cookie: Via Set-Cookie header
2. Browser stores it: According to domain/path rules
3. Browser sends it back: On every matching request
4. Server reads cookie: To identify user/session

Request:  GET /dashboard
Response: Set-Cookie: session=abc123; HttpOnly; Secure
Next:     GET /profile (includes Cookie: session=abc123)

​

Using Cookies in Policies

​

Basic Examples

Field Type: Cookie
Field Reference: session_id
Operator: is not present
AND
Field Type: Request Path
Operator: starts with
Value: /account
Action: Block

Field Type: Cookie
Field Reference: user_role
Operator: contains
Value: admin
Action: Challenge # Verify server-side

​

Advanced Patterns

Field Type: Cookie
Field Reference: session_id
Operator: equals
Value: FORCED_SESSION
Action: Block

Field Type: Cookie
Field Reference: session_id
Operator: is present
Window: 5 minutes
Threshold: 100
Action: Challenge

​

Cookie Attributes That Matter

​

Security Patterns

​

Detecting Session Hijacking

# Sudden change in user agent with same session
Field Type: Cookie
Field Reference: session_id
Operator: is present
AND
User-Agent changed from previous request
Action: Challenge

​

Preventing Cookie Stuffing

# Too many cookies might indicate attack
Field Type: Cookie (count)
Operator: greater than
Value: 50
Action: Block

​

Invalid Cookie Formats

# Detect malformed session cookies
Field Type: Cookie
Field Reference: session_id
Operator: not matches regex
Value: ^[a-zA-Z0-9]{32}$
Action: Block

​

Best Practices

​

DO:

• Validate cookie formats - Ensure expected structure
• Monitor cookie combinations - Unusual sets might indicate attacks
• Track cookie age - Very old sessions might be compromised
• Check cookie presence - Missing auth cookies on protected resources
• Use with other signals - Combine with IP, user agent for better detection

​

DON’T:

• Trust cookie values - Users can modify them
• Store sensitive data - Even encrypted, it’s risky
• Block missing cookies carelessly - Some pages don’t need them
• Ignore cookie size - Large cookies can cause issues
• Forget about subdomains - Cookie scope matters

​

Common Attack Patterns

​

Cookie Poisoning

Field Type: Cookie
Field Reference: cart_items
Operator: contains
Value: <script
Action: Block

​

Privilege Escalation

Field Type: Cookie
Field Reference: is_admin
Operator: is present
Action: Block # If set client-side

​

Session Fixation

Field Type: Cookie
Field Reference: session_id
Operator: in list
Value: [known_fixed_sessions]
Action: Block

​

Working with Authentication

​

Multi-Factor Authentication Check

# Require MFA cookie for sensitive actions
Field Type: Request Path
Operator: starts with
Value: /admin
AND
Field Type: Cookie
Field Reference: mfa_verified
Operator: not equals
Value: true
Action: Challenge

​

Remember Me Security

# Limit "remember me" cookie actions
Field Type: Cookie
Field Reference: remember_token
Operator: is present
AND
Field Type: Request Path
Operator: equals
Value: /change-password
Action: Challenge  # Require fresh login

​

Cookie Forensics

​

Browser Behavior Quirks

​

Third-Party Cookies

• Increasingly blocked by browsers
• May not be sent in embedded contexts
• Consider when building policies

​

Cookie Limits

• ~4KB per cookie
• ~50 cookies per domain
• Browsers handle limits differently

​

Troubleshooting

• Check exact cookie name (case-sensitive)
• Verify cookie is sent on this path
• Confirm domain/subdomain scope
• Check SameSite restrictions

• Users might have cookies disabled
• Private browsing affects cookies
• Cookie might be expired
• Browser extensions might block cookies

​

Integration Patterns

​

Combine with IP Tracking

# Detect session sharing
Field Type: Cookie
Field Reference: session_id
Operator: is present
AND
Field Type: Client IP
Changed from last request with same session
Action: Challenge

​

API vs. Browser Detection

# APIs shouldn't have browser cookies
Field Type: Cookie
Field Reference: _ga
Operator: is present
AND
Field Type: Request Path
Operator: starts with
Value: /api
Action: Monitor  # Suspicious

​

Related Fields

• Headers - Cookies are sent via Cookie header
• Client IP - Often checked together for session security
• User Agent - Changes might indicate session hijacking
• Request Path - Different paths need different cookies