Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 569
  • Last Modified:

How can I protect my website from javascript injections or cookie edits?

I was browsing the web for possible security issues with my website, and I was shocked at what I found.  I was able to login to administrator accounts without knowing username and login information, and do anything I wanted within my site.

I typed the following into the URL:
javascript:alert(document.cookie);

I store user login information in the cookie by using login=USER_ID

I then typed in:
javascript:void(document.cookie="login = 1");

This gave me access to my entire site!

So my question is....how do I prevent this?  I'm assuming I'll have to recode how my site determines when a user is logged in.
0
stackshady
Asked:
stackshady
  • 2
  • 2
1 Solution
 
BlazCommented:
Use session for "login" variable instead of a cookie. The user does not have access to session variables.
0
 
stackshadyAuthor Commented:
Thanks Blaz, but I need the users to stay logged in for up to 2 weeks at a time.  I thought sessions were only temporary and go away after the user closes the browser, thus having to login every time.  Is there a way to make them last longer or do I need to store a cookie that will create a new session somehow?  Thanks for the help.  (I'm coding in PHP by the way)
0
 
BlazCommented:
You could code something similar to sessions yourself.

Every time the user logs in create a unique ID (long) 6666666-7777777-888888888-99999999-11111111-QWRGRRDSAG. Save this ID to your database together with information about this "session" - login ID, username, login time, last access time... Save this ID also to client cookie. Always match the ID from the cookie with your database. You could also match username in cookie and the database etc.

If you find a match you get the user ID from the database.

Update access time everytime you check the login ID (probably on every page)

Delete records where last access time > 2 weeks.
0
 
stackshadyAuthor Commented:
This makes sense, thank you!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now