Where can I learn (or what is) about a cookie's scope to avoid CSRF and XSS attacks for authenticated users?
For example, if I have a multi-tenant system where a single user can be access to one or more sites what is more secure:
or
What happens if I set a cookie at "hoster.com"?
You can restrict the validity scope of cookie in the domain and the path separately. So you could set a cookie in both scenarios that is only valid for that specific domain/path combination:
To set a cookie for //company1.example.com/
only:
Set-Cookie: name=value; Path=/
Omitting the Domain attribute makes the cookie only valid for the domain that it was set in. And with Path=/
the cookie is valid for any path that has the prefix /
.
To set a cookie for //example.com/company1/
only:
Set-Cookie: name=value; Path=/company1/
Same explanation as for the example above. The only restriction is that you need to use /company1/
instead of /company1
as Path=/company1
would be equivalent to Path=/
and thus would make the cookie also valid for /company2
and /company3
.
And to avoid that the cookie can be read via JavaScript (reducing the assets accessible using XSS), set the HttpOnly attribute.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With