Ok, i have always wondered if these 2 actions are possible:

1. To manipulate cookies. I mean, if i login for example into facebook it will save a cookie in my browser. Could i edit it in anyway? I think so since it is set into MY browser and not set locally.
2. To manipulare a javascript script. I mean, since javascript is read by the browser and every user can read the language, could it be edited? For example, let's say i have an ajax call that send data strings like user=basic or something (it's just an example), could someone change it to user=admin?

I hope this kind of things are not possible or i am pretty much f****d!

Ok, i have always wondered if these 2 actions are possible:

1. To manipulate cookies. I mean, if i login for example into facebook it will save a cookie in my browser. Could i edit it in anyway? I think so since it is set into MY browser and not set locally.
2. To manipulare a javascript script. I mean, since javascript is read by the browser and every user can read the language, could it be edited? For example, let's say i have an ajax call that send data strings like user=basic or something (it's just an example), could someone change it to user=admin?

I hope this kind of things are not possible or i am pretty much f****d!

• php
• javascript
• ajax
• security
• cookies

• Pigarelli wele to the Internet, 2011 AD. – Pointy Commented Jan 14, 2011 at 21:03
• Doesn't nobody think that making cookies and javascript protected could save thousands of useless line of code? – Shoe Commented Jan 14, 2011 at 21:04
• It's just not possible to do that without imposing a pletely different set of rules for the Internet and for personal puters in general. In today's world, you have to hand over your content to the end user equipment for it to be shown on the screen. So long as there are things like open-source web browsers (and whole operating systems), you don't control enough of the user equipment to allow content to be secured. – Pointy Commented Jan 14, 2011 at 21:09

6 Answers 6

In that case, I'm sorry to say you are pretty much f****d.

You must always assume that everything on the client side can be manipulated by some evil hacker. This includes cookies and JavaScript.

Firefox makes this extra easy, using the Edit Cookies extension for cookies, and Firebug to edit JavaScript (and HTML and CSS).

Both users and javascript can manipulate cookie data. However, broswers have optional (maybe default) protection against setting cookie data cross-domain.

I think modifying cookies should be pretty easy, as they're stored locally. I checked and in firefox there's a bunch of sqlite files that seem to have that. I don't know much about sqlite, but it seems that modifying them should not be a problem (especially since you could get to the browser source code in this case and see how it interacts with them :) )

I'm not sure about javascript modification, it most surely can be done by messing around with low level HTTP stuff (intercepting request and sending bogus responses with the modified code). Anti cross-site scripting policies helps a little, but I wouldn't rely on them much, there should be security checks server based to be safer.

1. Yes/No, your domain can only manipulate cookies set by your domain. Your JS script, being on youdomain. or localhost cannot edit a cookie set by facebook.. Think about it, Internet would have imploded by now if you could do that.

   However, users can edit their cookies at will.

2. Yes.

Yes and yes, and there are even tools specifically designed to make doing so easy. Getting security right is hard, and unfortunately it's something that greener web developers often pletely miss.

The only thing you can really safely store in a cookie is a login token. Basically, each time your user logs in, generate something like a GUID. Save the GUID to a column in the user's record (like LoginToken or whatever) and then set their cookie to the same GUID. When they logout, clear the record's LoginToken. Then when a request es in, you can just query your database for the user who has a LoginToken equal to the value in the cookie. It's safe to assume that by holding the token, the requestor is in fact the user represented by the token.

If a malicious user edits their cookie, they'll get nothing more than logged out, since you'd treat a not-found token the same as no token at all.

On the server, once you check a token, you then determine if that user has admin rights (usually by looking at their record).

As far as being able to modify script, that's just a fact of life. Your server code has to assume that every request is malicious. Before you do anything, verify their token and verify that they're allowed to do what they're requesting.

2 things:

• Validate the data client-side for usability, but also do it server-side to prevent someone from tampering with the data
• Encrypt cookies to make it harder to manipulate