stealing someones cookies

Networking/Security Forums -> Exploits // System Weaknesses

Author: eeps24 PostPosted: Sun May 08, 2005 1:39 am    Post subject: stealing someones cookies
    ----
im not sure where this topic should be Embarassed so i just posted it here....



my question is.........lets say "frank" has a computer, he vists all kinds of sites that he buys things from, etc, he goes to sites and has his user name and password saved so he doesnt have to enter them..........if "dave" went to franks computer, physicaly or logically which ever, and copied and pasted franks cookies into daves computer, will dave have all of franks, username , pwd's, etc saved into daves computer?......... i always wondered about this

Author: njanLocation: Scotland, UK PostPosted: Sun May 08, 2005 1:59 am    Post subject:
    ----
This depends upon how cookies are being used by the website which uses them - cookies are small pieces of information stored by webservers on your computer, varying from advertisers tracking your preferences to tokens used to remember your login status for an online retailer. For more information about cookies, howstuffworks.com has quite a good explanation of them here.

Cookies store name-value pairs - as you may know (will know, if you've visited the URL above Razz) for items such as User IDs - any sensible web application will, when it stores a user ID in a name-value pair as part of a cookie on your system, store information about this in a database on the server along with your IP address. Some webmail systems will give you the option to restrict login by IP address or not; unfortunately, a lot of applications don't appear to do this, but most webmail systems should.

Login information for different systems online will really depend upon how the application has been coded; again, any sensible application author will take this into account and save state to the database, but there are plenty of applications (either by omission or design) which don't.

Author: icujc PostPosted: Sun May 08, 2005 2:37 am    Post subject:
    ----
Quote:
Some webmail systems will give you the option to restrict login by IP address or not; unfortunately, a lot of applications don't appear to do this, but most webmail systems should.


Not so sure this would be a plausible solution with most users receiving a new IP address via DHCP from their ISPs every few days or so. For those that are lucky enough to have static IPs this would be a very good choice, but I would have to say that is only a selected few who either pay extra to their ISP or have found an ISP that uses static IP address assignments.

Author: njanLocation: Scotland, UK PostPosted: Sun May 08, 2005 2:42 am    Post subject:
    ----
Quote:

Not so sure this would be a plausible solution with most users receiving a new IP address via DHCP from their ISPs every few days or so. For those that are lucky enough to have static IPs this would be a very good choice, but I would have to say that is only a selected few who either pay extra to their ISP or have found an ISP that uses static IP address assignments.


Even more reason not to use cookies at all and rely on password-based authentication and a php session or temporary cookie for the duration of the transaction! Very Happy



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group