[thelist] Can cookies be faked?
Simon Willison
cs1spw at bath.ac.uk
Wed Oct 8 18:12:52 CDT 2003
John.Brooking at NA.SAPPI.COM wrote:
> Sorry if this is a dumb question. I can't seem to refine my Google search
> appropriately to answer it. At least it should be a simple one for many of
> you.
>
> If I want to set a cookie to indicate that someone has a certain authority,
> I'm thinking it's not a good idea for pages to then check for that cookie in
> client-side JavaScript, where someone could just look at the page source to
> discover the expected name and value of the cookie. I suspect it is almost
> trivial, for someone who knows how, to give themselves such a cookie by
> editing their client's cookie jar directly. Am I right?
You're absolutely right - but even if you were checking the cookie with
server side code such a cookie would be a huge security hole. It's
trivial to find out what cookies a site has set - you can do so by
pasting the following in to the URL bar while viewing the site in question:
javascript:alert(document.cookie);
If a malicious user did that on your site and saw a cookie called
"authlevel" set to a value of 1, it would be trivial for them to edit
their cookie to give them a higher value.
The secure alternative is to use sessions. In some server side code,
generate a big ugly random string. Send that string to the user as a
cookie, then store the string somewhere (I generally use a database)
along with the user ID of that user (or their permissions or both). Then
whenever they request a page you can look up their permissions. To crack
this system, a user would have to guess the session ID of someone with a
higher permission level than them, which is virtually impossible
provided the session string is long enough.
Many server side programming languages have a sessions feature which can
do all of this for you, but I tend to roll my own as it gives me more
control over details like how long the cookie lasts for.
Hope that helps,
Simon Willison
http://simon.incutio.com/
More information about the thelist
mailing list