[thelist] RE: Can cookies be faked?

[Simon Willison]

John.Brooking at NA.SAPPI.COM wrote:
>>If I understand you correctly, such a cookie could still be facked by a 
>>malicious user. Remember, an advanced enough user can control ALL of the 
>>data flowing from their client to your server, so you should never trust 
>>any information from the client.
> 
> My thought was that if the cookie is only set on a page in a protected
> directory, and never referenced anywhere in client-side code, the hacker
> would have no way of knowing what name and value to fake. That information
> is only recorded in the protected directory, and in server-side code.

That's security through obscurity, which is widely regarded as a very 
bad idea. There are a number of ways a cracker could find out the name 
and value of the required cookie - for example, if your server 
accidentally spewed out the source code to one of your scripts (which 
can happen if Apache is upgraded and the PHP enabled config file is 
overwritten), by sniffing HTTP traffic or by examining a machine that 
has already logged in to your system when the machine's owner is away 
from their desk. Or they could just get lucky.

Sessions aren't that much extra workload to set up, and provide a much 
better level of security.

Cheers,

Simon