back to the *point* WAS: Re: [thesite] UEUE v.0.2 Update

.jeff jeff at members.evolt.org
Thu Nov 8 10:25:09 CST 2001 

mark,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Mark Nickel
>
> > by strip you mean delete the cookies entirely?  that
> > would have quite negative effects on persistent logins
> > for those users who visit m.e.o. sites.  if you're
> > talking about simply suppressing the reporting of the
>
> I was speaking of supressing the cookies from being
> passed from the browser through Apache, to the PHP
> engine to interpret the *.php page.  The cookies
> would still exist in the the users cookiejar on the
> browser side. Apache would prevent these from being put
> into X server-side scripting language's $COOKIE
> variables...
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

sounds like you'd need to write this protection layer for each app server.
too much work though if it's going to leave the cookies wide open for
harvesting with javascript.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> Would you be able to provide more information on this?
> I'm unfamiliar with Javascript haxoring in this way.  I
> would think that by mod'ing Apache, any hacks in
> Javascript would be twarted because at some point in
> time l33t haxor johnny is going to need to redirect to
> a webserver "somewhere", right?  Since only cookies for
> a domain are sent to the webserver for that domain, I
> don't see how the cookies could be stolen if Apache were
> to supress ueue_* cookies from going to the server-side
> scripting language on m.e.o.....  But, honestly, I don't
> profess to be an expert in all things so I'm really
> eager for more information.  Truly!  :) :)
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

grabbing cookies with javascript is really rather simple.  all i have to do
is query the document.cookies object and it'll tell me everything i need to
know.  then, i can report them back to my server-side script in a multitude
of ways for logging purposes.  these ways would include things like pass the
entire mess of cookie values as a url parameter to a hidden iframe, as a url
parameter to an image swap, to a hidden form field and submit the form, etc.

supressing the cookies server-side won't stop this since javascript
communicates directly with the browser and not with anything server-side to
get the cookies.

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/

More information about the thesite mailing list