Editing Cookies

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Editing Cookies

Post by s.dot »

My cookies are pretty secure, so I'm not worried too much about people changing the login name in the cookie, and logging in as anybody they want, without a password.

However, I want to double check. A while back, a guy helped me develop an algorhytm that checks the database against the cookie. I want to make sure that I am still safe.

I searched my harddrive for cookies from my domain, and edited the value of it, and I didn't get the error message like I was supposed to. However, I also wasn't logged in as someone else. So this leads me to believe that I am going about editing the cookie all wrong. I don't believe I am editing the right one (although it's the only one I see).

Are cookies that are set to die on browser close stored on the hard drive? (the only ones I found were ones that had an expiration date, so to speak. If they are, where can I find them? (IE 6.0).
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

C:\Documents and Settings\username\Cookies seem to contain cookies on WinXP.
But I on other versions its there in Temporary Internet Files folder.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

This location (and in temporary internet files) only finds 2 cookies.

I set 4 cookies on login. 2 that die on browser close (the ones not showing up) and two that persist for a month.

Do the ones that do not persist not get stored?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

I think there some hidden.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I searched 'hidden files and folders' ... no luck.

I know they are there somewhere though. When I use Mozilla FireFox and go to Options > Privacy > Cookies > View Cookies... I see all 4 of them.

I only find 2 on my hd using windows search
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Tried searching for these files using Administrator mode ? or System mode ?
If not then set permissions to view all cookies in Admin mode - I defintely saw this somewhere - dont remember where.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Hmm I just read a site that says temporary cookies do not actually write anything to your hard drive.

There are two types of cookies: "file" cookies and "temporary" cookies. File cookies are kept on your hard disk for a period of time. Temporary cookies (or "cache" or "memory" cookies) are stored in your browser memory instead, and they go away as soon as you exit your browser; therefore, temporary cookies never touch your hard disk.

So then it would be impossible to edit? Or fairly harder than just typing a new login (on login cookie)
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Re: Editing Cookies

Post by anjanesh »

scrotaye wrote: However, I want to double check. A while back, a guy helped me develop an algorhytm that checks the database against the cookie. I want to make sure that I am still safe.
Cookies storage is totally browser dependant.
Someone can just download Mozilla Source and alter the way cookies should be handled and recompile.

Regarding 'temprary cookies' - I guess if its stored in RAM then you probably can get it using C/C++ - dontk now how - if you do come across a situation then pl do post a link.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I downloaded a 'cookie editor' extension for firefox. I was able to go in and edit the temporary cookies, and as I expected, my site is safe.. any time I try to change any of the values in it and then browse a page, I get logged out. So that's good. =) Thanks for your help.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Re: Editing Cookies

Post by shiflett »

scrotaye wrote:Are cookies that are set to die on browser close stored on the hard drive?
No, these are stored in memory, which is freed when the browser closes.

It's impossible for anyone to help you evaluate the strengths and weaknesses of your implementation without some information.
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Re: Editing Cookies

Post by Joe »

Cookies die when the http expiry header reaches it's deadline. Like shiflett said, it is pretty impossible without some information as other parts of your site may be vulnerable to xss attacks etc. Have you considered sessions?.
shiflett wrote:
scrotaye wrote:Are cookies that are set to die on browser close stored on the hard drive?
No, these are stored in memory, which is freed when the browser closes.

It's impossible for anyone to help you evaluate the strengths and weaknesses of your implementation without some information.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Cookies are un-trusted input, any precautions you would take on form data, you should also take on a cookie. This goes for anything sent in an http request, including but not limited to: post data, get data, cookies, and the http request itself. If you *really* want to test some stuff out, telnet to your site and send the cookie header manually and watch the response you get back, set up a test page for this so you don't have to go through 1,000 lines of html.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Unnecessary. Firefox extensions provides facilities to make all sorts of fake cookies. Telnet is only necessary when you need fine grained controls over exactly what headers are sent.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Ambush Commander wrote:Unnecessary. Firefox extensions provides facilities to make all sorts of fake cookies. Telnet is only necessary when you need fine grained controls over exactly what headers are sent.
Your statement is correct, but be careful with the "unnecessary" intro - it makes it sound like you're trying to dispute jshpro2's comment. He's talking about "anything sent in an http request, including but not limited to: post data, get data, cookies, and the http request itself." He mentions telnet in the context of manipulating cookies, but I don't think it's safe to assume that he doesn't know about other ways to manipulate cookies.

I'm just trying to point out that it's best not to dispute someone's comment unless they say something that is necessarily wrong and potentially damaging (e.g., could cause someone problems if they read it).

Along these lines, I'd like to mention that the LiveHTTPHeaders extension, although lacking many features I'd like to see, lets you modify an HTTP request and "replay" it. This is easier for most people than using telnet.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I'm just trying to point out that it's best not to dispute someone's comment unless they say something that is necessarily wrong and potentially damaging (e.g., could cause someone problems if they read it).
Errr... sorry.
Post Reply