I am storing user state (logged in / user id) in sessions on app engine. Is it possible for users that know other users UserId to manipulate their cookies and login as other users.
What steps should I take to prevent this?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am storing user state (logged in / user id) in sessions on app engine. Is it possible for users that know other users UserId to manipulate their cookies and login as other users.
What steps should I take to prevent this?
It’s not possible for one user to directly access data from another user. However, there are ways for one user to steal the login session of another user. But this isn’t GAE specific.
See:
Hijacking can easily occur on an open wifi hotspot. A common solution is to host your site with SSL.
CSRF happens when a user is logged into your website and has a malicious website open in the same browser. There are various ways to protect against this. A common solution is to include a random validation token in HTML forms. Also, set HTTP response header:
X-Frame-Options: sameoriginand check request headerX-Requested-Withisn’t equal to “XMLHttpRequest” for non-ajax hits.XSS can be used to make these attacks more effective, so protect against it too.
For these types of attacks in general, make your user sessions expire quickly.