What should I know about cookies domain and scope for security purposes?

Where can I learn (or what is) about a cookie's scope to avoid CSRF and XSS attacks for authenticated users?

For example, if I have a multi-tenant system where a single user can be access to one or more sites what is more secure:

• company1.hoster.com
• company2.hoster.com
• company3.hos开发者_运维知识库ter.com

or

• www.hoster.com/company1
• www.hoster.com/company2
• www.hoster.com/company3

What happens if I set a cookie at "hoster.com"?

You can restrict the validity scope of cookie in the domain and the path separately. So you could set a cookie in both scenarios that is only valid for that specific domain/path combination:

1. To set a cookie for //company1.example.com/ only:

    Set-Cookie: name=value; Path=/
   

   Omitting the Domain attribute makes the cookie only valid for the domain that it was set in. And with Path=/ the cookie is valid for any path that has the prefix /.

2. To set a cookie for //example.com/company1/ only:

    Set-Cookie: name=value; Path=/company1/
   

   Same explanation as for the example above. The only restriction is that you need to use /company1/ instead of /company1 as Path=/company1 would be equivalent to Path=/ and thus would make the cookie also valid for /company2 and /company3.

And to avoid that the cookie can be read via JavaScript (reducing the assets accessible using XSS), set the HttpOnly attribute.

The Open Web application security project publishes lots of valuable information about secure web application development.

Cookie's have a scope and path attributes, you would normally not want ot issue cookies for "/" or wildcard hosts *.hoster.com would both be ill-advised.

It's not as simple as this one decision, it's good you thought of security in your design, but security is a process, in every phase of your development.