Suppose you have a webapp that gives users their own site on a subdomain

Question

0

Asked: May 13, 20262026-05-13T11:00:25+00:00 2026-05-13T11:00:25+00:00

Suppose you have a webapp that gives users their own site on a subdomain

0

Suppose you have a webapp that gives users their own site on a subdomain (eg: awesome.super-cms.com) and that you let them edit HTML. Further assume that you’re setting the SessionID in a wildcard subdomain cookie (“*.super-cms.com“).

The user who manages evil.super-cms.com could easily write a JavaScript that grabs the SessionID from other super-cms.com users:

var session = $.cookie('SessionID');
// Now send `session` to evil.com

My question is: Could an attacker user these harvested SessionIDs to do bad things? For example, spoof authentication as another user?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-13T11:00:25+00:00

Editorial Team

2026-05-13T11:00:25+00:00Added an answer on May 13, 2026 at 11:00 am

Yes, they can. This guy appears to have an article outlining examples: http://skeptikal.org/2009/11/cross-subdomain-cookie-attacks.html

You can set the domain of the cookie to prevent this. It is set as ;domain=... inside the cookie, your given language will probably have a facility to do this directly.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Suppose you have a webapp that gives users their own site on a subdomain

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply