Click here to Skip to main content
15,171,729 members
Please Sign up or sign in to vote.
2.50/5 (2 votes)
See more:
Hi All,

I have an issue. There are two domains
1. MyTest.com (parent domain)
2. sub.MyTest.com (sub domain)

The cookies from the parent domain is accessible in the sub domain. I don't want this to happen. I know we can limit this by setting the domain property at the time of cookie creation. But the problem is that I don't have access to parent domain.

I can restrict the cookies being created in sub domain to be accessible only in sub domain but I am not able to restrict the cookies from the parent domain.

Please suggest how should I proceed in this.


Thanks
Posted
Comments
   
May I ask you: why?
—SA
Rohan Rajpoot 26-Mar-14 2:48am
   
Issue that we have implemented a functionality to detect sql injection in the sub domain. Now the cookies from the parent domain is coming which are creating sql injection.
   
If you are going to fight SQL injection by blocking some cookies, consider your SQL already cracked by SQL injection. :-)
Really, it's so wrong... If you want to prevent SQL injection, ask a question about it.
—SA

If you want to restrict cookies that are set in the parent domain from being global, you have to set the cookie on the absolute url

For example, set the cookie on

http://www.test.com/

instead of test.com

Setting the cookie on test.com> would set it on all sub-domains.

I think sub-domains like sub-domain.test.com are not usually affected.
   
Rohan-Rajpoot:
Now the cookies from the parent domain is coming which are creating SQL injection.
Even if SQL injection exploit is somehow performed through the use of some cookies, blocking any cookies would be quite useless for prevention of this exploit. Its mechanism is basically totally unrelated to cookies and can be utilized without any cookies at all. This is how: http://xkcd.com/327[^].

See also: http://en.wikipedia.org/wiki/SQL_injection[^].

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

This is what you really need to use: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].

—SA
   
Comments
Rohan Rajpoot 26-Mar-14 3:55am
   
Thanks for your reply.

I think I must describe the whole schenario:

First of all its a legacy application. What they have done to prevent SQL injection is: they have created a function which will check in the querystring and cookies, a certain set of keywords like table,sys,drop,@ etc..

This function is called in loading of every page. If it found those keywords in the text, the user is redirected to an error page and an error log is written that SQL injection detected on this page.

I am into support of this project. And I have to fix this issue.
   
Okay, consider SQL injection is already successful. Please, don't try to ignore my answer: this is really the answer, not just "reply". You need to prevent the exploit properly, no matter if this is a legacy code or not. :-)
—SA

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900