[thelist] RE: Can cookies be faked?
Simon Willison
cs1spw at bath.ac.uk
Thu Oct 9 09:19:42 CDT 2003
John.Brooking at NA.SAPPI.COM wrote:
>>If I understand you correctly, such a cookie could still be facked by a
>>malicious user. Remember, an advanced enough user can control ALL of the
>>data flowing from their client to your server, so you should never trust
>>any information from the client.
>
> My thought was that if the cookie is only set on a page in a protected
> directory, and never referenced anywhere in client-side code, the hacker
> would have no way of knowing what name and value to fake. That information
> is only recorded in the protected directory, and in server-side code.
That's security through obscurity, which is widely regarded as a very
bad idea. There are a number of ways a cracker could find out the name
and value of the required cookie - for example, if your server
accidentally spewed out the source code to one of your scripts (which
can happen if Apache is upgraded and the PHP enabled config file is
overwritten), by sniffing HTTP traffic or by examining a machine that
has already logged in to your system when the machine's owner is away
from their desk. Or they could just get lucky.
Sessions aren't that much extra workload to set up, and provide a much
better level of security.
Cheers,
Simon
More information about the thelist
mailing list