HiveBrain v1.2.0
Get Started
← Back to all entries
patternjavascriptMinor

Need to pass cookie information to a child iFrame - Are there any security concerns?

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
iframepassneedareanycookieconcernssecuritychildthere

Problem

I have a child iframe in my page that will load content from a different web application in a different virtual directory than the parent page.

The DOM will look roughly like this:


   
   
   
      
      
   


  • The user will log in to www.contoso.com/WebApp1.



  • The user will load www.contoso.com/WebApp1/Home which contains an iframe with content from www.contoso.com/WebApp2/Home.



  • To load content from www.contoso.com/WebApp2/Home the user must be logged in.



My Question:

  • Could I simply load the iframe with src=www.contoso.com/WebApp2/Home?sessionId={sessionIdFromTheParentCookie}, and write server-side code to trust the incoming sessionId and set a cookie for the child iframe?



  • At present, I can't see how this is any worse than the reality that a user could tamper with his/her client-side cookie an insert an arbitrary sessionId in it.



  • The sessionId must always be validated at the server, so what's the harm in supplying an arbitrary sessionId in the query string and asking the server to set the cookie?

Solution

My Answer (best guess)

  • Tag is correct, out of security concer i would still not pass the session id as parameter(only if there is no other way)



  • It makes it harder to tamper with, if it is httplony see wikipedia



  • Links with sessionids could be bookmarked and after the end of the session they wont work, or they could beforwarded, and sesssions could be passed/shared, ...



Btw.: i found this link https://security.stackexchange.com/questions/14093/why-is-passing-the-session-id-as-url-parameter-insecure covering more or less the same topic.

I hope it helps

Context

StackExchange Code Review Q#19781, answer score: 2

Revisions (0)

No revisions yet.