[thelist] Can cookies be faked?

Simon Willison cs1spw at bath.ac.uk
Wed Oct 8 18:12:52 CDT 2003

John.Brooking at NA.SAPPI.COM wrote:
> Sorry if this is a dumb question. I can't seem to refine my Google search
> appropriately to answer it. At least it should be a simple one for many of
> you.
> If I want to set a cookie to indicate that someone has a certain authority,
> I'm thinking it's not a good idea for pages to then check for that cookie in
> client-side JavaScript, where someone could just look at the page source to
> discover the expected name and value of the cookie. I suspect it is almost
> trivial, for someone who knows how, to give themselves such a cookie by
> editing their client's cookie jar directly. Am I right?

You're absolutely right - but even if you were checking the cookie with 
server side code such a cookie would be a huge security hole. It's 
trivial to find out what cookies a site has set - you can do so by 
pasting the following in to the URL bar while viewing the site in question:


If a malicious user did that on your site and saw a cookie called 
"authlevel" set to a value of 1, it would be trivial for them to edit 
their cookie to give them a higher value.

The secure alternative is to use sessions. In some server side code, 
generate a big ugly random string. Send that string to the user as a 
cookie, then store the string somewhere (I generally use a database) 
along with the user ID of that user (or their permissions or both). Then 
whenever they request a page you can look up their permissions. To crack 
this system, a user would have to guess the session ID of someone with a 
higher permission level than them, which is virtually impossible 
provided the session string is long enough.

Many server side programming languages have a sessions feature which can 
do all of this for you, but I tend to roll my own as it gives me more 
control over details like how long the cookie lasts for.

Hope that helps,

Simon Willison

More information about the thelist mailing list