CAS-003 Question #232: Real Exam Question with Answer & Explanation

Question

Options

• ASessionStorage should be used so authorized cookies expire after the session ends
• BCookies should be marked as "secure" and "HttpOnly"
• CCookies should be scoped to a relevant domain/path
• DClient-side cookies should be replaced by server-side mechanisms

Explanation

Storing session cookies in localStorage exposes them to persistent JavaScript access; scoping cookies to the correct domain and path limits which cookie values appear in document.cookie and therefore what is exposed in client-side storage.

Common mistakes.

• A. Switching to sessionStorage would cause the copied cookie data to expire when the browser tab closes, but the session cookie value is still readable by JavaScript during the session and remains fully vulnerable to XSS-based exfiltration within that window.
• B. Marking cookies HttpOnly and Secure are valuable hardening measures - HttpOnly prevents JavaScript from reading the cookie via document.cookie and Secure restricts transmission to HTTPS - but neither attribute directly addresses the scoping problem of which cookies are exposed to the current page context and stored in localStorage.
• D. Migrating to server-side session mechanisms is a comprehensive architectural change that would eliminate client-side cookie exposure entirely, but the recommendation requested here is scoped to the specific client-side optimization already implemented, not a full re-architecture of the session model.

Concept tested. Cookie domain and path scoping to limit client-side exposure

Reference. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

No community discussion yet for this question.