patternjavascriptMinor
Need to pass cookie information to a child iFrame - Are there any security concerns?
Viewed 0 times
iframepassneedareanycookieconcernssecuritychildthere
Problem
I have a child
The DOM will look roughly like this:
My Question:
iframe in my page that will load content from a different web application in a different virtual directory than the parent page.The DOM will look roughly like this:
- The user will log in to
www.contoso.com/WebApp1.
- The user will load
www.contoso.com/WebApp1/Homewhich contains aniframewith content fromwww.contoso.com/WebApp2/Home.
- To load content from
www.contoso.com/WebApp2/Homethe user must be logged in.
My Question:
- Could I simply load the
iframewithsrc=www.contoso.com/WebApp2/Home?sessionId={sessionIdFromTheParentCookie}, and write server-side code to trust the incoming sessionId and set a cookie for the childiframe?
- At present, I can't see how this is any worse than the reality that a user could tamper with his/her client-side cookie an insert an arbitrary sessionId in it.
- The sessionId must always be validated at the server, so what's the harm in supplying an arbitrary sessionId in the query string and asking the server to set the cookie?
Solution
My Answer (best guess)
Btw.: i found this link https://security.stackexchange.com/questions/14093/why-is-passing-the-session-id-as-url-parameter-insecure covering more or less the same topic.
I hope it helps
- Tag is correct, out of security concer i would still not pass the session id as parameter(only if there is no other way)
- It makes it harder to tamper with, if it is httplony see wikipedia
- Links with sessionids could be bookmarked and after the end of the session they wont work, or they could beforwarded, and sesssions could be passed/shared, ...
Btw.: i found this link https://security.stackexchange.com/questions/14093/why-is-passing-the-session-id-as-url-parameter-insecure covering more or less the same topic.
I hope it helps
Context
StackExchange Code Review Q#19781, answer score: 2
Revisions (0)
No revisions yet.