Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How can I protect my website from javascript injections or cookie edits?

Posted on 2009-04-14
4
Medium Priority
?
567 Views
Last Modified: 2013-11-25
I was browsing the web for possible security issues with my website, and I was shocked at what I found.  I was able to login to administrator accounts without knowing username and login information, and do anything I wanted within my site.

I typed the following into the URL:
javascript:alert(document.cookie);

I store user login information in the cookie by using login=USER_ID

I then typed in:
javascript:void(document.cookie="login = 1");

This gave me access to my entire site!

So my question is....how do I prevent this?  I'm assuming I'll have to recode how my site determines when a user is logged in.
0
Comment
Question by:stackshady
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 24136630
Use session for "login" variable instead of a cookie. The user does not have access to session variables.
0
 

Author Comment

by:stackshady
ID: 24136815
Thanks Blaz, but I need the users to stay logged in for up to 2 weeks at a time.  I thought sessions were only temporary and go away after the user closes the browser, thus having to login every time.  Is there a way to make them last longer or do I need to store a cookie that will create a new session somehow?  Thanks for the help.  (I'm coding in PHP by the way)
0
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
ID: 24136913
You could code something similar to sessions yourself.

Every time the user logs in create a unique ID (long) 6666666-7777777-888888888-99999999-11111111-QWRGRRDSAG. Save this ID to your database together with information about this "session" - login ID, username, login time, last access time... Save this ID also to client cookie. Always match the ID from the cookie with your database. You could also match username in cookie and the database etc.

If you find a match you get the user ID from the database.

Update access time everytime you check the login ID (probably on every page)

Delete records where last access time > 2 weeks.
0
 

Author Closing Comment

by:stackshady
ID: 31569831
This makes sense, thank you!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Simple Linear Regression

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question