Solved

How can I protect my website from javascript injections or cookie edits?

Posted on 2009-04-14
4
554 Views
Last Modified: 2013-11-25
I was browsing the web for possible security issues with my website, and I was shocked at what I found.  I was able to login to administrator accounts without knowing username and login information, and do anything I wanted within my site.

I typed the following into the URL:
javascript:alert(document.cookie);

I store user login information in the cookie by using login=USER_ID

I then typed in:
javascript:void(document.cookie="login = 1");

This gave me access to my entire site!

So my question is....how do I prevent this?  I'm assuming I'll have to recode how my site determines when a user is logged in.
0
Comment
Question by:stackshady
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 24136630
Use session for "login" variable instead of a cookie. The user does not have access to session variables.
0
 

Author Comment

by:stackshady
ID: 24136815
Thanks Blaz, but I need the users to stay logged in for up to 2 weeks at a time.  I thought sessions were only temporary and go away after the user closes the browser, thus having to login every time.  Is there a way to make them last longer or do I need to store a cookie that will create a new session somehow?  Thanks for the help.  (I'm coding in PHP by the way)
0
 
LVL 16

Accepted Solution

by:
Blaz earned 125 total points
ID: 24136913
You could code something similar to sessions yourself.

Every time the user logs in create a unique ID (long) 6666666-7777777-888888888-99999999-11111111-QWRGRRDSAG. Save this ID to your database together with information about this "session" - login ID, username, login time, last access time... Save this ID also to client cookie. Always match the ID from the cookie with your database. You could also match username in cookie and the database etc.

If you find a match you get the user ID from the database.

Update access time everytime you check the login ID (probably on every page)

Delete records where last access time > 2 weeks.
0
 

Author Closing Comment

by:stackshady
ID: 31569831
This makes sense, thank you!
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Progress

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question