How to restrict loading of parent domain cookies in sub domain

Question

2.50/5 (2 votes)

See more:

Hi All,

I have an issue. There are two domains
1. MyTest.com (parent domain)
2. sub.MyTest.com (sub domain)

The cookies from the parent domain is accessible in the sub domain. I don't want this to happen. I know we can limit this by setting the domain property at the time of cookie creation. But the problem is that I don't have access to parent domain.

I can restrict the cookies being created in sub domain to be accessible only in sub domain but I am not able to restrict the cookies from the parent domain.

Please suggest how should I proceed in this.

Thanks

Posted 25-Mar-14 20:11pm

Rohan Rajpoot

Add a Solution

Comments

Sergey Alexandrovich Kryukov 26-Mar-14 2:24am

May I ask you: why?
—SA

Rohan Rajpoot 26-Mar-14 2:48am

Issue that we have implemented a functionality to detect sql injection in the sub domain. Now the cookies from the parent domain is coming which are creating sql injection.

Sergey Alexandrovich Kryukov 26-Mar-14 2:58am

If you are going to fight SQL injection by blocking some cookies, consider your SQL already cracked by SQL injection. :-)
Really, it's so wrong... If you want to prevent SQL injection, ask a question about it.
—SA

2 solutions

Solution 1

If you want to restrict cookies that are set in the parent domain from being global, you have to set the cookie on the absolute url

For example, set the cookie on

http://www.test.com/

instead of test.com

Setting the cookie on test.com> would set it on all sub-domains.

I think sub-domains like sub-domain.test.com are not usually affected.

Posted 25-Mar-14 20:53pm

Akinmade Bond

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2014-03-25T21:05:00

Solution 2

Rohan-Rajpoot:
Now the cookies from the parent domain is coming which are creating SQL injection.

Even if SQL injection exploit is somehow performed through the use of some cookies, blocking any cookies would be quite useless for prevention of this exploit. Its mechanism is basically totally unrelated to cookies and can be utilized without any cookies at all. This is how: http://xkcd.com/327[^].

See also: http://en.wikipedia.org/wiki/SQL_injection[^].

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

This is what you really need to use: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].

—SA

Posted 25-Mar-14 21:05pm

Sergey Alexandrovich Kryukov

Comments

Rohan Rajpoot 26-Mar-14 3:55am

Thanks for your reply.

I think I must describe the whole schenario:

First of all its a legacy application. What they have done to prevent SQL injection is: they have created a function which will check in the querystring and cookies, a certain set of keywords like table,sys,drop,@ etc..

This function is called in loading of every page. If it found those keywords in the text, the user is redirected to an error page and an error log is written that SQL injection detected on this page.

I am into support of this project. And I have to fix this issue.

Sergey Alexandrovich Kryukov 26-Mar-14 4:04am

Okay, consider SQL injection is already successful. Please, don't try to ignore my answer: this is really the answer, not just "reply". You need to prevent the exploit properly, no matter if this is a legacy code or not. :-)
—SA