A pass-the-cookie attack reuses a stolen browser cookie to impersonate an already authenticated session. The attacker does not need the password if the cookie still represents a live identity state. This is especially dangerous when the cookie belongs to a privileged account or an unmanaged device.
Expanded Definition
Pass-the-cookie attack is a session hijacking technique that abuses a valid browser cookie as proof of identity, allowing an attacker to enter an authenticated session without knowing the password. In NHI and agentic environments, the risk is not limited to human web logins: any browser-mediated admin console, cloud control plane, or delegated tool session can become a target if the cookie remains live and reusable.
Definitions vary across vendors on whether this should be grouped under session hijacking, token theft, or credential replay, but the operational issue is the same: possession of the cookie can equal possession of the session. This is why guidance from sources such as CISA cyber threat advisories and the Ultimate Guide to NHIs consistently treats session artifacts as high-value secrets that require the same discipline as API keys and certificates.
The most common misapplication is assuming a password reset or MFA challenge invalidates every active session, which occurs when cookies remain accepted until explicit session revocation or expiration.
Examples and Use Cases
Implementing session security rigorously often introduces user friction and more complex token lifecycle controls, requiring organisations to weigh convenience against the cost of tighter revocation, monitoring, and device-binding.
- An attacker exports a cookie from an unmanaged browser profile and uses it to open a cloud admin console session that was already authenticated.
- A phishing page or malicious browser extension captures an SSO session cookie, then replays it until the session expires or is revoked.
- A compromised endpoint exposes a browser profile cache, letting the attacker reuse the cookie to access internal dashboards and approved SaaS tools.
- In an AI operations workflow, a stolen session cookie grants access to a prompt management console or model deployment portal, turning a single browser session into tool-level control, a pattern discussed in the OWASP NHI Top 10 and related agentic security research.
- Security teams investigate repeated logins from the same cookie fingerprint across unusual geographies, using lessons from the 52 NHI Breaches Analysis to confirm that session abuse can precede broader secret theft.
Browser session theft is often easier to operationalize than password cracking because the attacker only needs one live token, not the original authentication flow.
Why It Matters in NHI Security
Pass-the-cookie matters because it collapses identity assurance after authentication has already succeeded. In NHI-heavy estates, that can expose dashboards, CI/CD systems, cloud portals, and agent control surfaces where a browser session provides broad standing authority. Once an attacker enters through a stolen cookie, normal password policy and MFA controls may not interrupt the session unless the organisation actively invalidates it. The Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which magnifies the blast radius when a session is hijacked.
At a governance level, cookie replay is a reminder that session state is part of the identity attack surface, not just an implementation detail. It should be addressed with short session lifetimes, device-aware policies, revocation on risk events, and monitoring for replay from anomalous contexts. It also aligns with the threat patterns described in the Anthropic report on AI-orchestrated cyber espionage, where access gained through stolen session material can accelerate operational abuse. Organisations typically encounter the full impact only after an unusual login, unauthorized action, or data exposure reveals that a valid session had already been compromised, at which point pass-the-cookie becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers session and token abuse that enables replay of live identities. |
| NIST CSF 2.0 | PR.AC-7 | Addresses authentication and access enforcement for session-based identity use. |
| NIST Zero Trust (SP 800-207) | SA-3 | Zero Trust requires continuous evaluation, not trust based only on initial login. |
Continuously re-evaluate session trust and require reauthentication for sensitive actions.
