[thelist] RE: Can cookies be faked?

Simon Willison cs1spw at bath.ac.uk
Thu Oct 9 06:39:00 CDT 2003

John.Brooking at NA.SAPPI.COM wrote:
> If I'm lazy and don't want to go to the trouble (hypothetically-speaking of
> course -- if I must do the login/session thing, I will), what about the
> following scenario? I use directory security (such as .htaccess with Apache,
> or IIS equivalent) to put a "login" page in a protected directory. The login
> page sets the cookie  (such as "authlevel=1"), and only server-side code
> checks for it. This way, the cookie is still only available to those who
> enter a password. I think I'm basically shifting the authentication off on
> the web server itself, rather than including it in my application. If I set
> the cookie in client-side JavaScript, as long as it's behind that protected
> directory, then I also don't need another server-side script to worry about
> anyone running. Does this sound like it would pass the test?

If I understand you correctly, such a cookie could still be facked by a 
malicious user. Remember, an advanced enough user can control ALL of the 
data flowing from their client to your server, so you should never trust 
any information from the client.

> I realize it would not be as flexible, unless there is some way to get from
> the web server what username was entered. I know in IIS you get an AUTH_USER
> or some such variable. Does Apache also set such a thing as a result of
> passing .htaccess protection?

Yes it does, and this is a very handy way of doing authentication 
without the hassle of cookies, sessions and so on. You should be able to 
read the AUTH_USER environment variable from your CGI script, using 
whatever mechanism your chosen CGI language provides for accessing 
environment variables (in Python it would be os.environ['AUTH_USER']).

I wrote some tutorials on PHP security and session which you might find 
useful earlier this year:


Hope that helps,

Simon Willison

More information about the thelist mailing list