Page 1 of 2
Editing Cookies
Posted: Sun Aug 28, 2005 2:48 am
by s.dot
My cookies are pretty secure, so I'm not worried too much about people changing the login name in the cookie, and logging in as anybody they want, without a password.
However, I want to double check. A while back, a guy helped me develop an algorhytm that checks the database against the cookie. I want to make sure that I am still safe.
I searched my harddrive for cookies from my domain, and edited the value of it, and I didn't get the error message like I was supposed to. However, I also wasn't logged in as someone else. So this leads me to believe that I am going about editing the cookie all wrong. I don't believe I am editing the right one (although it's the only one I see).
Are cookies that are set to die on browser close stored on the hard drive? (the only ones I found were ones that had an expiration date, so to speak. If they are, where can I find them? (IE 6.0).
Posted: Sun Aug 28, 2005 3:14 am
by anjanesh
C:\Documents and Settings\username\Cookies seem to contain cookies on WinXP.
But I on other versions its there in Temporary Internet Files folder.
Posted: Sun Aug 28, 2005 3:23 am
by s.dot
This location (and in temporary internet files) only finds 2 cookies.
I set 4 cookies on login. 2 that die on browser close (the ones not showing up) and two that persist for a month.
Do the ones that do not persist not get stored?
Posted: Sun Aug 28, 2005 3:31 am
by anjanesh
I think there some hidden.
Posted: Sun Aug 28, 2005 3:56 am
by s.dot
I searched 'hidden files and folders' ... no luck.
I know they are there somewhere though. When I use Mozilla FireFox and go to Options > Privacy > Cookies > View Cookies... I see all 4 of them.
I only find 2 on my hd using windows search
Posted: Sun Aug 28, 2005 4:04 am
by anjanesh
Tried searching for these files using Administrator mode ? or System mode ?
If not then set permissions to view all cookies in Admin mode - I defintely saw this somewhere - dont remember where.
Posted: Sun Aug 28, 2005 4:32 am
by s.dot
Hmm I just read a site that says temporary cookies do not actually write anything to your hard drive.
There are two types of cookies: "file" cookies and "temporary" cookies. File cookies are kept on your hard disk for a period of time. Temporary cookies (or "cache" or "memory" cookies) are stored in your browser memory instead, and they go away as soon as you exit your browser; therefore, temporary cookies never touch your hard disk.
So then it would be impossible to edit? Or fairly harder than just typing a new login (on login cookie)
Re: Editing Cookies
Posted: Sun Aug 28, 2005 4:47 am
by anjanesh
scrotaye wrote:
However, I want to double check. A while back, a guy helped me develop an algorhytm that checks the database against the cookie. I want to make sure that I am still safe.
Cookies storage is totally browser dependant.
Someone can just download Mozilla Source and alter the way cookies should be handled and recompile.
Regarding 'temprary cookies' - I guess if its stored in RAM then you probably can get it using C/C++ - dontk now how - if you do come across a situation then pl do post a link.
Posted: Sun Aug 28, 2005 5:15 am
by s.dot
I downloaded a 'cookie editor' extension for firefox. I was able to go in and edit the temporary cookies, and as I expected, my site is safe.. any time I try to change any of the values in it and then browse a page, I get logged out. So that's good. =) Thanks for your help.
Re: Editing Cookies
Posted: Sun Aug 28, 2005 11:37 am
by shiflett
scrotaye wrote:Are cookies that are set to die on browser close stored on the hard drive?
No, these are stored in memory, which is freed when the browser closes.
It's impossible for anyone to help you evaluate the strengths and weaknesses of your implementation without some information.
Re: Editing Cookies
Posted: Sun Aug 28, 2005 12:47 pm
by Joe
Cookies die when the http expiry header reaches it's deadline. Like shiflett said, it is pretty impossible without some information as other parts of your site may be vulnerable to xss attacks etc. Have you considered sessions?.
shiflett wrote:scrotaye wrote:Are cookies that are set to die on browser close stored on the hard drive?
No, these are stored in memory, which is freed when the browser closes.
It's impossible for anyone to help you evaluate the strengths and weaknesses of your implementation without some information.
Posted: Sun Aug 28, 2005 1:16 pm
by josh
Cookies are un-trusted input, any precautions you would take on form data, you should also take on a cookie. This goes for anything sent in an http request, including but not limited to: post data, get data, cookies, and the http request itself. If you *really* want to test some stuff out, telnet to your site and send the cookie header manually and watch the response you get back, set up a test page for this so you don't have to go through 1,000 lines of html.
Posted: Sun Aug 28, 2005 2:14 pm
by Ambush Commander
Unnecessary. Firefox extensions provides facilities to make all sorts of fake cookies. Telnet is only necessary when you need fine grained controls over exactly what headers are sent.
Posted: Mon Aug 29, 2005 11:17 am
by shiflett
Ambush Commander wrote:Unnecessary. Firefox extensions provides facilities to make all sorts of fake cookies. Telnet is only necessary when you need fine grained controls over exactly what headers are sent.
Your statement is correct, but be careful with the "unnecessary" intro - it makes it sound like you're trying to dispute jshpro2's comment. He's talking about "anything sent in an http request, including but not limited to: post data, get data, cookies, and the http request itself." He mentions telnet in the context of manipulating cookies, but I don't think it's safe to assume that he doesn't know about other ways to manipulate cookies.
I'm just trying to point out that it's best not to dispute someone's comment unless they say something that is necessarily wrong and potentially damaging (e.g., could cause someone problems if they read it).
Along these lines, I'd like to mention that the LiveHTTPHeaders extension, although lacking many features I'd like to see, lets you modify an HTTP request and "replay" it. This is easier for most people than using telnet.
Posted: Wed Aug 31, 2005 2:59 pm
by Ambush Commander
I'm just trying to point out that it's best not to dispute someone's comment unless they say something that is necessarily wrong and potentially damaging (e.g., could cause someone problems if they read it).
Errr... sorry.