[thelist] RE: Can cookies be faked?

John.Brooking at NA.SAPPI.COM John.Brooking at NA.SAPPI.COM
Thu Oct 9 09:08:40 CDT 2003


Simon wrote:
>>John.Brooking at NA.SAPPI.COM wrote:
>> If I'm lazy and don't want to go to the trouble (hypothetically-speaking
of
>> course -- if I must do the login/session thing, I will), what about the
>> following scenario? I use directory security (such as .htaccess with
Apache,
>> or IIS equivalent) to put a "login" page in a protected directory. The
login
>> page sets the cookie  (such as "authlevel=1"), and only server-side code
>> checks for it. This way, the cookie is still only available to those who
>> enter a password. I think I'm basically shifting the authentication off
on
>> the web server itself, rather than including it in my application. If I
set
>> the cookie in client-side JavaScript, as long as it's behind that
protected
>> directory, then I also don't need another server-side script to worry
about
>> anyone running. Does this sound like it would pass the test?
>
>If I understand you correctly, such a cookie could still be facked by a 
>malicious user. Remember, an advanced enough user can control ALL of the 
>data flowing from their client to your server, so you should never trust 
>any information from the client.

My thought was that if the cookie is only set on a page in a protected
directory, and never referenced anywhere in client-side code, the hacker
would have no way of knowing what name and value to fake. That information
is only recorded in the protected directory, and in server-side code.

- John
~~~~~~~~~~~~~~~~~~~~

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like. 


More information about the thelist mailing list