I have been reading about cross-subdomain cookie attacks here.
A quick overview of how it works (from Wikipedia):
- A web site www.example.com hands out subdomains to untrusted third parties
- One such party, Mallory, who now controls evil.example.com, lures Alice to her site
- A visit to evil.example.com sets a session cookie with the domain .example.com on Alice's browser
- When Alice visits www.example.com, this cookie will be sent with the request, as the specs for cookies states, and Alice will have the session specified by Mallory's cookie.
- If Alice now logs on, Mallory can use her account.
We are building a web app where customers will have their own subdomains: subdomain.ourapp.com
.
Each customer will be able to upload template files which can contain javascript (for client side interaction).
Since javascript can be used to read/write cookies, how can we prevent the session fixation attack above? Note that we are only storing the session id in the cookie.
Sites like squarespace.com also allows users to inject their own javascript into their on pages on their own subdomain. Since it would be next to impossible to try and filter out javascript statements that set/read cookies in uploaded template files, how can we mitigate this attack vector?