Is letting users access cookies through javascript a security issue

Question

I was wondering if allowing the user of a site to access and modify cookies with javascript from the console is a security issue? What harm can be done by allowing users to have this? Is it only considered a security issue in some situations but not others? Also does using HttpOnly cookies prevent the user from modifying cookies?

Answer 1

You are talking about two different scenarios:

1. Allowing JavaScript to read/modify cookies
2. Can a user modify cookies if they are flagged as HttpOnly

1) Allowing JavaScript to read/modify cookies.

The reason you normally do not want JavaScript being able to access cookies (reading or writing) is that most site use cookies to handle site authentication. It is common for attackers to create an exploit of Cross-Site Scripting (XSS) on a web site, and use that to read the values of the authentication cookie and send them to a server the attacker controls.

When the attacker has the session cookies, there is a chance (depending on the security of the site) that the attacker can insert the victims authentication cookie's values into the attackers session. Then when they go to the target site, they are treated as the victim and can do anything the victim can do.

Stealing cookies is not the only thing that can be done through XSS, to read more, look at OWASPS - A3 Cross-Site Scripting write-up.

2) Can a user modify cookies if they are flagged as HttpOnly

Yes. The user can modify the cookies, html, css, JavaScript, anything that is on their machine. That is why secrets should never be stored on the client's computer, and ANY values coming from the client/user's computer needs to be considered untrusted until proven to be valid.