|
What is Overly Broad
Cookie path and How to avoid it?
|
Problem:
We, developers, often
set cookies to the root of the path ("/"). This exposes the cookies
to all the applications in a shared hosting environment (Where in there are
multiple virtual applications under a same Application).
Let us assume that there are
two applications as below:
When the user logs into the
GoodApplication, the cookies set by the Good Application, will be accessible by
Evil Application if the path is not set.
Since the Evil Application
can access the cookies of the Good Application, he can sniff out information
like Session ID or Authentication Cookie itself and can masquerade as the user
of the Good Application.
How to Overcome this?
Set the path of the
application whenver a cookie is set, or alternatively, you can set the path of
all the cookies in the Global.asax Application_EndRequest.
if(Response.Cookies.Count
> 0)
foreach (var s in Response.Cookies.AllKeys)
{
var cookie =
Response.Cookies[s];
if (cookie != null)
cookie.Path =
Request.ApplicationPath;
}
References:
1. http://www.hpenterprisesecurity.com/vulncat/en/vulncat/dotnet/cookie_security_overly_broad_path.html
how to do this by htaccess
ReplyDelete