This article is a part of our Web Security Knowledge Base (back to index)
Why Loosely Scoped Cookie can be dangerous
The domain scope applied to a cookie determines which domains can access it. For example a cookie can be scoped strictly to a subdomain e.g. www.scanrepeat.com, or loosely scoped to a parent domain e.g. scanrepeat.com. In the latter case, any subdomain of scanrepeat.com can access the cookie.
How to fix Loosely Scoped Cookie
Always scope cookies to a Fully Qualified Domain Name.
How does ScanRepeat report Loosely Scoped Cookie
ScanRepeat analyzes every HTTP response by retrieving its cookies and then comparing their domain scope with the host domain. ScanRepeat reports every occurrence of loosely the scoped cookie along with the url of HTTP response.
Would you like to test your application now against this problem? Sign up for our free trialScan Your Web App Now