Web cookies

[SiliconWizard]

Is it possible for a website to get access to user cookies from another website? What kind of security is there to prevent that?

[Nominal Animal]

Is it possible for a website to get access to user cookies from another website? What kind of security is there to prevent that?

Each cookie can have several attributes, the three key ones being Secure, Domain, and Path.  When Secure is set, the cookie is only sent when using a https connection. When Domain (and optionally Path) is set, browsers only send the cookie when making requests to that specific domain (and path prefix).

If your cookie has those set, then it is not accessible outside pages loaded from that domain (and path prefix).  Any security-sensitive cookie must have all three set.  Browsers will allow access to the cookie value via JavaScript only for content it loaded from said domain and path prefix.

There are three possible exploit types: managing to upload a HTML or SVG or similar file to that domain and path prefix, with JavaScript to extract the cookie from the browser (allowed because the media was loaded from the allowed domain and path prefix); cross site script exploit where only the thief JavaScript is injected to a page from the allowed domain and path prefix (or existing JavaScript is exploited to reveal the cookie value); and browser (bug) exploits.

As of today, I would expect the cookie access protections to be more robust and better tested than any other protection feature in browsers, because browser authentication cookies are the most widely used user authentication mechanism; one that even yourself are using right now, if you're logged on to EEVblog forums.
Thus, my answers to the two questions are "No, barring serious browser security issues" and "the most important parts of the cross-site barriers and session isolation within every browser implementation".

[radiolistener]

There is no legitimate way for one website to directly read cookies from another site. Browsers usually isolate cookies, localStorage, and DOM access between domains, but proper cookie configuration (Domain, Path, and Secure attributes) is required to enforce this isolation. Cookies can only be accessed by content loaded from the same domain and path, and JavaScript cannot bypass these restrictions.

Technically, cookies could be exposed under certain scenarios, but these almost always require user action, explicit consent, or a security flaw. Examples include browser extensions explicitly installed by the user, Cross-Site Scripting (XSS) vulnerabilities allowing injected scripts to run in your domain, compromised third-party scripts loaded by your site, or rare browser security bugs.


Another way cookies from your site could be accessed is through local software running on the user's computer. Such software may be able to read cookies directly from the browser's storage on disk, bypassing browser-enforced isolation. For example, a site could convince a user to download and run an application under the guise of providing some useful functionality. Once executed, this application could directly access the browser cookie storage on disk and send cookies to the attacker.

And yet another potential vector for accessing cookies from your site is through social engineering. In this scenario, an attacker might trick a user into voluntarily revealing cookie data — for example, by instructing them to open the site’s developer tools and copy the value of a specific cookie. The attacker could disguise this as a legitimate security or troubleshooting procedure, or claim it is required for some action.

While this method does not exploit any technical vulnerability, it shows the importance of user awareness: even fully secure cookies can be exposed if a user is deceived into disclosing them.

[RoGeorge]

Is it possible for a website to get access to user cookies from another website? What kind of security is there to prevent that?

In theory, no, in practice, yes. 

I think that falls under the CSRF category (Cross Site Request Forgery).  A search about CSRF attacks should find many examples of such bugs/hacks and their fix.

[golden_labels]

It’s XSS (cross-site scripting), not CSRF (cross-site request forgery). Nominal Animal already explained it.

CSRF relies on unauthorized use of cookies, but doesn’t allow extracting them. In some circumstances it may make the server reveal cookie-dependent data. But this is not the same as extracting cookies, and it exploits a vulnerability in the server, not in the browser.