Solved

How can I protect my website from javascript injections or cookie edits?

Posted on 2009-04-14
4
531 Views
Last Modified: 2013-11-25
I was browsing the web for possible security issues with my website, and I was shocked at what I found.  I was able to login to administrator accounts without knowing username and login information, and do anything I wanted within my site.

I typed the following into the URL:
javascript:alert(document.cookie);

I store user login information in the cookie by using login=USER_ID

I then typed in:
javascript:void(document.cookie="login = 1");

This gave me access to my entire site!

So my question is....how do I prevent this?  I'm assuming I'll have to recode how my site determines when a user is logged in.
0
Comment
Question by:stackshady
  • 2
  • 2
4 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 24136630
Use session for "login" variable instead of a cookie. The user does not have access to session variables.
0
 

Author Comment

by:stackshady
ID: 24136815
Thanks Blaz, but I need the users to stay logged in for up to 2 weeks at a time.  I thought sessions were only temporary and go away after the user closes the browser, thus having to login every time.  Is there a way to make them last longer or do I need to store a cookie that will create a new session somehow?  Thanks for the help.  (I'm coding in PHP by the way)
0
 
LVL 16

Accepted Solution

by:
Blaz earned 125 total points
ID: 24136913
You could code something similar to sessions yourself.

Every time the user logs in create a unique ID (long) 6666666-7777777-888888888-99999999-11111111-QWRGRRDSAG. Save this ID to your database together with information about this "session" - login ID, username, login time, last access time... Save this ID also to client cookie. Always match the ID from the cookie with your database. You could also match username in cookie and the database etc.

If you find a match you get the user ID from the database.

Update access time everytime you check the login ID (probably on every page)

Delete records where last access time > 2 weeks.
0
 

Author Closing Comment

by:stackshady
ID: 31569831
This makes sense, thank you!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now