Hi Everyone,
I am facing an issue where the user2 will able to access user1 details in other device using Cookies by collecting User1 cookies details from cookies editor. This happens when the user1 session is in active state. Please help me how to restrict the user to access user1 information based on Cookies.
Thanks in advance.
Regards,
Ekadeep
Hi Ekadeep,
I've also talked with an OutSystems security expert, and they said that cookie stealing is a vulnerability for any website, and not specifically OS-related. You should always prevent stealing of cookies. But to steal a cookie, you must have access to another user's user directories on Windows, something that a user shouldn't have. Also, users should log off when they're no longer using the application, the session time-out shouldn't be too high, and you could enforce a policy on the browser that session cookies are deleted when the browser is closed.
So the only possible way to steal someone's cookies is when:
Of course, for this to work, already a number of questionable things have happened, in particularly Bob having access to Alice's cookies in the first place.
Did you actually manage to do what you are describing, or is this more of a general fear that this is possible?
we are experiencing in our application in real time. To describe this in details,
User1 logged the application in device A , user2 gathered information from device A using cookies editor. Now user2 logged the application in device B with his credentials and using cookies editor he changed the cookies details and refreshed. Now in device B user2 able to login the application with user1 credentials without login page.
Please help me on this scenario.
That seems like a bad vulnerability. Please contact OutSystems Support for help.
Okay Thanks for replying
Thanks very much for going more into the issue and to find a solution, the scenario you explained is almost matching with my issue . As you mentioned above to prevent the stealing of cookies, how could I achieve this. It would be more helpful for me if you tell me the way to block stealing the cookies.
Cordial thanks once again.
Ekadeep K
Well, I think I did. In order to prevent stealing the cookies, you must make sure that users that share a computer are not allowed to access each other's user directories. That's something that the IT department should fix.
Sure , will make few learning sessions for the application users to protect their security related activities :p .
Thanks very much Kilian for pitching into my issues, and trying to close the issue.
You're most welcome. If you think one of my answers gave you a good answer to your question, please mark it as solution, thanks!