[thelist] someone else's cookies?

Oliver Lineham oliver at lineham.co.nz
Mon Nov 13 04:26:06 CST 2000

At 17:45 16/10/2000 +0100, you wrote:

>We have started logging cookies in our Apache logs, and we are finding that
>for some visitors as well as cookies set by our site either now or in the
>past, we are also getting
>SITESERVER=ID=and what is presumably a session id string
>RMID=presumably a session id string

i'm going to try and distill a very long story into a few lines, so take a 
big breath:

judging from your email address, your webserver is a .co.uk, yes?

the cookies you are seeing are indeed set by a microsoft server as someone 
else suggested, but it's probably not yours. it's probably 
microsoft.co.uk.  (i can hear some people saying "that's not possible!" 
just keep reading ;)

when you set a cookie, you can set a "domain" for the cookie.  it's not 
supposed to be possible to set it to something like ".COM" or ".CO.UK".

but, it *is* possible because there is a security hole in most versions of 
IE (before IE5), all versions of Netscape, and most versions of most other 

i discovered this security hole a couple of years ago, and reported it here:
it is also on the "bugtraq" archives.

the security hole was confirmed by the microsoft security team / ie 
development team, and also by netscape.

summary: if you're on a ccTLD (like .nz or .uk), you can expect to be sent 
other people's cookies.

if anyone's confused or want more information, i'm happy to explain further.


     v i b e   m e d i a    http://www.vibe.co.nz/
  po box 10-492              wellington, new zealand
  phone +64 21 210-7845         oliver at lineham.co.nz

More information about the thelist mailing list