2

I want to create a webpage which redirects a user if some cookies are previously set by my webpage. Like this: (I am using a jquery cookie plugin)

// get cookies
var email = $.cookie("email_addr");
var postcode = $.cookie("post_code");

if(email != undefined && postcode != undefined) {
    // insert cookies into redirect url
    var redirect =
    "https://docs.google.com/forms/d/1BofVyLFj9-Y2RQ8LxZuaptS071yHDqW4cdZhvvqTNz8/viewform?entry.139029761=" + email +
    "&entry.1727046863=" + postcode;
    console.log(redirect);
}

(URL character replacement omitted for readability)

Can I assume the cookies are safe, and are cannot be modified by anyone but the user and the application, so xss attacks are not possible, or do I need to validate them anyway?

I will validate the cookies when they are set, my question is if I can trust my own cookies.

2 Answers2

5

You should always validate data provided by user and assume that it could be modified. It can be even modified not by a third party, but by a malicious user or by someone who has access to legitimate user's browser. You should also protect cookies that contain user personal data (email, password, address, etc.) from XSS. A good way would be using HttpOnly flag. A better way is to encrypt cookies, so only your application knows their content. This would prevent cookies content from direct access as well.

Important As @Eda190 stated in comments to the following answer, you should not protect only cookies from XSS, but your application in general. Here is a good cheat sheet.

Timur Osadchiy
  • 5,699
  • 2
  • 26
  • 28
  • But if a malicious user edits his cookie, it will only affect himself, right? So why would I need to validate it? –  Mar 07 '15 at 13:15
  • It will only afect him, but if the attacker finds a way to inject his code onto your website, he can proceed to READ cookies from EVERY SINGLE user, that visits the injected page. – Eda190 Mar 07 '15 at 13:28
  • @joris_van_winden someone who has a direct access to legitimate user's browser may modify his cookies. If normal functioning of your application depends on data stored in cookies and there is a risk of harming your application by modifying that data, you should validate them. – Timur Osadchiy Mar 07 '15 at 13:40
0

No. Cookies are not at all safe and should either contain least amount of data or you should encrypt them very well with salts.

One thing to say, anything you send to client , POST , GET or Cookies . Everything can be modified . Yet cookies modification is not know to many. Most people think of eatable cookies rather. So if your data is not important use cookies if you wish.

If data matters, it is login info or such , use multiple highly encoded or more precisly hashed . And if it doesn't matter then cookies are no trouble.

frunkad
  • 2,433
  • 1
  • 23
  • 35
  • It's not about the security of the data, it's about xss vulnerabilities –  Mar 07 '15 at 13:19