[thelist] Can cookies be faked?

Simon Willison cs1spw at bath.ac.uk
Wed Oct 8 18:12:52 CDT 2003


John.Brooking at NA.SAPPI.COM wrote:
> Sorry if this is a dumb question. I can't seem to refine my Google search
> appropriately to answer it. At least it should be a simple one for many of
> you.
> 
> If I want to set a cookie to indicate that someone has a certain authority,
> I'm thinking it's not a good idea for pages to then check for that cookie in
> client-side JavaScript, where someone could just look at the page source to
> discover the expected name and value of the cookie. I suspect it is almost
> trivial, for someone who knows how, to give themselves such a cookie by
> editing their client's cookie jar directly. Am I right?

You're absolutely right - but even if you were checking the cookie with 
server side code such a cookie would be a huge security hole. It's 
trivial to find out what cookies a site has set - you can do so by 
pasting the following in to the URL bar while viewing the site in question:

javascript:alert(document.cookie);

If a malicious user did that on your site and saw a cookie called 
"authlevel" set to a value of 1, it would be trivial for them to edit 
their cookie to give them a higher value.

The secure alternative is to use sessions. In some server side code, 
generate a big ugly random string. Send that string to the user as a 
cookie, then store the string somewhere (I generally use a database) 
along with the user ID of that user (or their permissions or both). Then 
whenever they request a page you can look up their permissions. To crack 
this system, a user would have to guess the session ID of someone with a 
higher permission level than them, which is virtually impossible 
provided the session string is long enough.

Many server side programming languages have a sessions feature which can 
do all of this for you, but I tend to roll my own as it gives me more 
control over details like how long the cookie lasts for.

Hope that helps,

Simon Willison
http://simon.incutio.com/



More information about the thelist mailing list