[Javascript] Can I Give Myself a Cookie ?

David T. Lovering dlovering at gazos.com
Tue Apr 22 23:29:56 CDT 2003 

Actually, this is not trivial, as acquiring the cookie is only the beginning
of a rather tedious decryption process.  Also, if your browser prevents back-tracking
on the path to the various cookie cache directories, this won't work.  

Where it does work is in instances where (a) the cookie directory is down-stream of
an accessible directory and is not "hidden" from JavaScript/Active-X/whatever, (b)
the encryption on the cookie is either slight or non-existant, and (c) the hash
used in the encryption is derived exclusively from plaintext information (such as
the URL, IP address of the client, etc.).  Simply using an encryption method that
doesn't rely on such obvious things neatly defeats the method I described.

However, simply because such practices can be implemented through a given browser
shouldn't damn the browser, but rather the coding and encrypting methods of the
cookie writer.  It's like anything else -- done prudently, and with the proper 
safeguards, it's perfectly OK.  Only when we get sloppy are there unfortunate
consequences later.

-- Dave Lovering

"T. Bradley Dean" wrote:
> 
> Boy, I gotta start getting to work before 1 PM, I'm missing all the good
> discussions!
> 
> David T. Lovering Wrote:
> 
> >However, there are perfectly good JavaScript methods for
> >listing a directory's contents (including those that contain
> >cookies), and using an iframe with a src="<path/cookiefilename>"
> >can work quite nicely as a raw cookie viewer, irrespective of
> >which site the client is actually attached to.  Simply spinning
> >this back to the server of an illicit site will provide a snapshot
> >of the cookie's contents,
> 
> I do not believe the above would work. And if it did, it would most
> certainly be seen by the community as a "flaw" in whatever browsers it
> worked in.
> 
> Cookies are designed to be viewed only by the site that wrote them. If you
> are able to get access to them outside of the browser that's a different
> story, and I would say quite illegal depending on how it's used. If you get
> the user to accept an ActiveX or Java program and then use that to scan
> other sites' cookies, decrypt them, and steal credit card numbers - well -
> you might as well do the same with my Quicken data. If you are using that
> argument to say cookies are "unsafe" everything on my workstation is just as
> "unsafe".
> 
> ~Brad
> 
> _______________________________________________
> Javascript mailing list
> Javascript at LaTech.edu
> https://lists.LaTech.edu/mailman/listinfo/javascript

More information about the Javascript mailing list