PDA

View Full Version : Please help: massive cookie stealing problem for Ubuland hosting project



fluteflute
July 27th, 2008, 01:43 PM
https://bugs.edge.launchpad.net/ubuland/+bug/245982

We are creating a free (open source powered) hosting site. The plan was to allow members to host websites at ubuland.org/~username.

However we realised that this could be a massive security issue for cookies. For example:
User 'attacker' (/~attacker) sets up a website that secretly steals the login keys of other Ubuland users (say he stole the cookie of /~saj0577). From this he could forge a new cookie, with the stolen login key, which would trick the current system into thinking he was Saj0577 and therefor would have access to Saj's account.

We would be extremely grateful for anyone able to guide us towards fixing this issue.