Search code examples
javascriptjquerycookiesxssjquery-cookie

Are cookies safe?


I want to create a webpage which redirects a user if some cookies are previously set by my webpage. Like this: (I am using a jquery cookie plugin)

// get cookies
var email = $.cookie("email_addr");
var postcode = $.cookie("post_code");

if(email != undefined && postcode != undefined) {
    // insert cookies into redirect url
    var redirect =
    "https://docs.google.com/forms/d/1BofVyLFj9-Y2RQ8LxZuaptS071yHDqW4cdZhvvqTNz8/viewform?entry.139029761=" + email +
    "&entry.1727046863=" + postcode;
    console.log(redirect);
}

(URL character replacement omitted for readability)

Can I assume the cookies are safe, and are cannot be modified by anyone but the user and the application, so xss attacks are not possible, or do I need to validate them anyway?

I will validate the cookies when they are set, my question is if I can trust my own cookies.


Solution

  • You should always validate data provided by user and assume that it could be modified. It can be even modified not by a third party, but by a malicious user or by someone who has access to legitimate user's browser. You should also protect cookies that contain user personal data (email, password, address, etc.) from XSS. A good way would be using HttpOnly flag. A better way is to encrypt cookies, so only your application knows their content. This would prevent cookies content from direct access as well.

    Important As @Eda190 stated in comments to the following answer, you should not protect only cookies from XSS, but your application in general. Here is a good cheat sheet.