nerdexam
EC-Council

312-50V13 · Question #33

A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?

The correct answer is B. Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's. The policy of deleting HTTP cookies upon browser termination aims to prevent attackers from using stolen cookies to impersonate users.

Submitted by skyler.x· Mar 6, 2026Session Hijacking

Question

A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?

Options

  • AAttempts by attackers to access the user and password information stored in the company's SQL
  • BAttempts by attackers to access Web sites that trust the Web browser user by stealing the user's
  • CAttempts by attackers to access password stored on the user's computer without the user's
  • DAttempts by attackers to determine the user's Web browser usage patterns, including when sites

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    93% (26)
  • D
    4% (1)

Why each option

The policy of deleting HTTP cookies upon browser termination aims to prevent attackers from using stolen cookies to impersonate users.

AAttempts by attackers to access the user and password information stored in the company's SQL

HTTP cookies do not typically store direct SQL user and password information; this type of storage would be a severe security vulnerability for a web application.

BAttempts by attackers to access Web sites that trust the Web browser user by stealing the user'sCorrect

By automatically deleting HTTP browser cookies upon termination, the policy mitigates the risk of an attacker gaining access to a user's computer and stealing persistent session cookies. These stolen cookies could otherwise be used by the attacker to hijack the user's active sessions and impersonate them on websites that rely on those cookies for authentication or session management.

CAttempts by attackers to access password stored on the user's computer without the user's

While some authentication tokens might be in cookies, the primary passwords themselves are generally not stored in clear text or directly accessible formats within cookies for an attacker to steal and use as a 'password'.

DAttempts by attackers to determine the user's Web browser usage patterns, including when sites

While cookies contribute to tracking usage patterns, the more immediate and critical security breach prevented by deleting them upon termination is session hijacking and unauthorized access, not just pattern determination.

Concept tested: Mitigating cookie-based session hijacking

Source: https://www.owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control

Topics

#HTTP cookies#session hijacking#browser security

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice