Where can I learn (or what is) about a cookie's scope to avoid CSRF and XSS attacks for authenticated users?

For example, if I have a multi-tenant system where a single user can be access to one or more sites what is more secure:

• pany1.hoster
• pany2.hoster
• pany3.hoster

or

• www.hoster/pany1
• www.hoster/pany2
• www.hoster/pany3

What happens if I set a cookie at "hoster"?

Where can I learn (or what is) about a cookie's scope to avoid CSRF and XSS attacks for authenticated users?

For example, if I have a multi-tenant system where a single user can be access to one or more sites what is more secure:

• pany1.hoster.
• pany2.hoster.
• pany3.hoster.

or

• www.hoster./pany1
• www.hoster./pany2
• www.hoster./pany3

What happens if I set a cookie at "hoster."?

• javascript
• security
• cookies
• multi-tenant

• I think you mean XSS (Cross site scripting). CSRF is a request forgery, and it doesn't matter (unless checked by the attacked domain) where the request originated from (and you can spoof the origin anyway). XSS have a same origin policy which is a javascript restriction, read upon that – cyber-guard Commented Apr 15, 2011 at 15:37
• Thank you. I'll look into how same origin applies to those scenarios above... – TLDR Commented Apr 15, 2011 at 16:05

2 Answers 2

You can restrict the validity scope of cookie in the domain and the path separately. So you could set a cookie in both scenarios that is only valid for that specific domain/path bination:

1. To set a cookie for //pany1.example./ only:

    Set-Cookie: name=value; Path=/
   

   Omitting the Domain attribute makes the cookie only valid for the domain that it was set in. And with Path=/ the cookie is valid for any path that has the prefix /.

2. To set a cookie for //example./pany1/ only:

    Set-Cookie: name=value; Path=/pany1/
   

   Same explanation as for the example above. The only restriction is that you need to use /pany1/ instead of /pany1 as Path=/pany1 would be equivalent to Path=/ and thus would make the cookie also valid for /pany2 and /pany3.

And to avoid that the cookie can be read via JavaScript (reducing the assets accessible using XSS), set the HttpOnly attribute.

The Open Web application security project publishes lots of valuable information about secure web application development.

Cookie's have a scope and path attributes, you would normally not want ot issue cookies for "/" or wildcard hosts *.hoster. would both be ill-advised.

It's not as simple as this one decision, it's good you thought of security in your design, but security is a process, in every phase of your development.