1

If my website writes a string into cookies using document.cookie will any website be able read those strings or only the one that created it? If anyone can read it is there a way to limit access to the string? This is a question in javascript.
EDIT: I have no much problem if a third party reads my cookie they shouldn't be able to edit/delete it. Can a hacker do that?

  • Do people find it fun to downvote everything they see? –  Apr 26 '15 at 05:12
  • If your domain uses a subdomain, Like mystite.myhosting.com then it is definitely insecure, other-wise you should be fine. The use can always edit / delete the cookie. It depends on the client browser. You can never be 100% sure on the behavior. If a malicious software gets on the users computer the data won't be secure. Also if the user uses a non-standard browser, that lets cookies be shared, that might be an issue. My best solution is so encrypt everything with a simple hash and store the hash server-side – Downgoat Apr 26 '15 at 05:12
  • @vihan1086 I didn't get what you meant by 'The use can always edit / delete the cookie' could you rephrase? –  Apr 26 '15 at 05:14
  • That was a typo I mean *user*. I upvoted your question. Just don't store any important data in cookies such as emails, *especially* passwords. – Downgoat Apr 26 '15 at 05:16
  • Can a third party(hacker) edit/delete it? It is not important information or anything and it is already hashed and sent to server. it is in the cookie for quick reference while moving from page to page... If it is deleted it can spoil the experience... –  Apr 26 '15 at 05:20
  • A hacker can do anything, *always*, but you should be fine if you have a top-level domain. If you don't have a top-level domain, you aren't safe from a third-party editing/deleteing. – Downgoat Apr 26 '15 at 05:21
  • Thats all i needed! Some are busy just downvoting and not answering the question! –  Apr 26 '15 at 05:26

4 Answers4

1

Only the same domain (ie, http://thisisasubdomain.domain.com) should be able to read the cookie; there's no way to request the cookies for a different site (except, of course, for security vulnerabilities, which browsers always try to patch). Note that the browser's user can read the cookie, so don't put anything in there meant to be kept secret from the user, like an important decryption key.

Katana314
  • 8,429
  • 2
  • 28
  • 36
0

There is no guarantee to prevent others having access to cookies. so, if the data is sensitive it's a good idea to handle it in server side and do not store in cookies

Super Hornet
  • 2,839
  • 5
  • 27
  • 55
0

HTTP is stateless protocol, the concept of cookies came into existence in order to maintain the user session intact across multiple webpages. That said, Cookie data is associated to the domain name of the website that created it, making it only accessible to that website. The serving of cookies is implemented by the browser and the only security threat that could possibly effect is

  • bad implementation of cookies by the browser: this is a fairly common test case in security testing of all browsers, so it isn't all that common.
  • DNS poisoning: this could be pulled off by mimicking the website that actually created the cookie. with HTTPS this can be overcome easily.

The wikipedia article on Cookies is self explanatory, the list of possible ways to access/steal cookie data is mentioned here.

Theresa
  • 3,515
  • 10
  • 42
  • 47
Neel Hektor
  • 1
0

From within the browser, a cookie created on a.com is only available to other pages on a.com. It cannot be accessed by pages in other domains. This is a very specific design principle of cookies. When you create the cookie, you can separately control whether the cookie also has path restrictions (it can only be accessed by some pages on a.com).

You can also control whether a sub-domain can access your cookie or not such as sub.a.com. See this answer for details on sub-domain access.

Likewise, the cookie will only be sent to the server a.com, not to any other servers. But, if you are not using https, then you should be aware that the cookie is being transmitted in plain text over the network each time you make a request of a.com.

Cookie data itself is stored by the browser on the user's local hard drive so a coookie may be accessed from outside of the browser (by a local application, not from within the browser) depending upon browser and OS implementation. If you really want no outside agent to be able to get to the data, then (as others have said), only keep the data on the server.

Community
  • 1
  • 1
jfriend00
  • 683,504
  • 96
  • 985
  • 979