SANS ISC shares excellent security awareness on the danger of cookie files.  In addition to internal tracking of user actions — cookies can be used to store the users login credentials.  Stolen cookies are actually for sale on dark web as in certain settings they may allow bad guys to login using these specially cached credentials (esp. if website doesn’t adhere to best practices in handling).

Do you Like Cookies? Some are for sale! (sans.edu)

Cookies… These small pieces of information are always with us. Since the GDPR was kicked off in Europe, we are flooded by pop-ups asking if we accept “cookies”. Honestly, most people don’t take time to read the warning and just accept the default settings.

If cookies are useful for a website owner to track which actions were previously performed by the visitor (like the page’s configuration: language selection, colors, etc…), cookies are also very interesting to maintain sessions, they are called “session cookies” and allow users to be tracked within a website so any action the visitor does is remembered from page to page.

Cookies are also useful to keep a session “open” to a website and to prevent the visitor to always authenticate again when (s)he’s back. Think about the small option “Stay connected” that you see on login pages. Those are called “Persistent cookies” and help websites to remember your information and settings when you visit them in the future.

So many times, I’ve seen improper session handling implemented in websites. The user logs off but the session is not really closed on the server-side and/or the cookie remains valid. If an attacker is able to put his hands on the browser and access cookies, it’s easy to load this cookie into another browser and… reactivate the session.  This technique is called “session impersonation” or “session hijacking”. And, if the cookie is used to hold a session to an administrative interface, it could have a very bad impact!