I have server, running some number of sites.
For example: example.com a.example.com b.example.com
All sites are routed via nginx to unix domain-sockets.
Each of sites is gunicorn instance.
Can applications from subdomains read/write cookie data from example.com or from other subdomains?
If yes, how to disable it?
Sure, you can use separate cookies for the subdomain. The Cookie standards allow you to set a domain, which will be the only domain that browsers will send the cookie back to. You can set "a.example.com" as the domain, and browsers will only send cookies from that domain back to that domain.
From my reading of RFC 2965 for cookies, "a.example.com" cannot set a cookie for "b.example.com", only "example.com".
I think the bottom line is to be sure that you are are using the "domain" property of cookies to set cookies for the subdomain, and not just "example.com", which all subdomains could read and write to.
Related
I am able to access cookies created locally by using req.cookies or grabbing something specific (req.cookies['myvar']).
Hoever, say a cookie was stored on a top-level domain (domain.com) and then in my subdomain app (my.domain.com) -- how would I grab a cookie value from a certain domain?
The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to.
Domain specifies allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location, excluding subdomains. If Domain is specified, then subdomains are always included.
For example, if Domain=mozilla.org is set, then cookies are included on subdomains like developer.mozilla.org.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Scope_of_cookies
I have a website that will have customers logging into:
www.example.com/login
and will do their authenticated tasks here
www.example.com/dashboard/
Customers will also have their own public facing content here:
customer1.example.com
The public facing content is where they can't write their own content, so I am concerned if they write some javascript etc. to grab cookie information somehow i.e. they write javascript, and when a different user goes to their site who was authenticated on www.example.com, the javascript will grab their session cookie and send it over to another website.
When cookies are stored at the root domain and sub-domain, are they free accessible at each level?
Trying to understand the security implications.
Cookies will be accessible for all subdomains of the host you specify in the Domain attribute.
If you set Domain=example.com, the cookies will be available to all subdomains of example.com.
A cookie with Domain=www.example.com will only be accessible for www.example.com and subdomains of www.example.com (e.g. foo.bar.www.example.com) - no worries if you do that.
However, note that this also means it won't be accessible from example.com.
The most restrictive option is to omit the Domain attribute, by not sending it at all. In that case, the cookie should only be accessible for the hostname that sent it. That is, if you send it from www.example.com, it will only be sent back to www.example.com and not even to its subdomains.
This is all explained in RFC 6265, section 4.1.2.3.
I am using express-session module for maintain session. i have two app. i want to share cookies with this apps, parent app run in example.com , and child app run in child.example.com. i set httponly cookie using express-session it sets in the child app.i can verified that cookie in resource tab in chrome debugger.
Network tab:
When the first call to sub-domain:
it load like "http://www.child.example.com" cookie set in the request. while the url is redirect to server IP . cookie not available after that.
like http://13.25.230.2/index cookie not avaliable on that
When you send the Set-Cookie HTTP header, you can specify the domain it is for.
Set-Cookie: name=value; domain=example.com
The domain must be a suffix of the domain hosting the page.
i.e. foo.example.com, bar.baz.example.com and www.example.com can all share a cookie belonging to example.com.
A URL using an IP address has no hostname in it at all and cannot match that rule.
There is no way to share your cookie between example.com and 13.25.230.2. Give the site a hostname instead.
There is no way you can set cookie using setcookie header from one host to another. For example from example.com to foobar.com.
If you have to do it. Then do it by passing the cookie value to server side script for example foobar.com\set-my-cookie.php and use to to save the cookie.
Httponly cookies cannot be set or read from client side code.
Say you only want to send cookies over HTTPS to the client - not over HTTP. You could use the HTTP secure flags as mentioned in this article. However, since you can use the Apache mod_rewrite module to send a redirect to the user from the HTTP version of your site to the HTTPS version, shouldn't that mean that it will secure the cookies? In other words, does the server send your cookies if its sending out a redirect?
If you are redirecting from HTTP to HTTPS and then set cookies, these cookies will be set over HTTPS. Say you redirect the user from http://www.example.com to https://www.example.com, the Set-Cookie header sent from www.example.com to the user will be encrypted during transport.
However, if the user comes back and enters http://www.example.com in their browser, if the Secure Flag was not set on the cookie, the cookie will be sent over HTTP, unencrypted.
This can also happen if any internal links on your site are HTTP, any links on other sites to yours are HTTP or if a MITM attacker injects a HTTP resource from your site on another site (e.g. <img src="http://www.example.com/x.jpg" /> will leak the cookie over HTTP).
This is why it is advisable to set the secure flag. HSTS can be used to help ensure connections remain on HTTPS only, however setting the secure flag should be the primary focus.
I have a website that came with a SSL site for HTTPS but its on a different server. Example being
my website:
http://example.com
my SSL site:
https://myhostingcompany.com/~myuseraccount/
So I can do transactions over HTTPS and we have user accounts and everything but it is located on a different domain. The cookie domain is set for that one.
Is there a way I can check on my actual site to see if a cookie is set for the other one? And possibly grab its data and auth a user?
I think this violates a major principle of security and can't be done for good reasons, but am i wrong? is this possible?
You can setup a service on either site to handle RPC via HTTP POST requests. You can make it require some sort of session that can only be created by your sites. However, whatever can be accessed over that shared session on the HTTPS site will have no guarantee of confidentiality or integrity.