WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: modify non-persistent cookies

From: "Mr. Rufus Faloofus" <foofus () foofus net>
Date: Tue, 17 Dec 2002 17:44:23 -0800
At 03:05 PM 12/17/2002 -0800, securityarchitect () hush com wrote:
The only difference between the a persistent cookie and non-persistent cookie is the expires element. 

Precisely so.  The cookie is nothing more than some data returned
by the server: there is no way of knowing what will happen to it
at the client side.
If there is no expires element (time) defined then the cookie is (should be if HTTP User agent follows directives) stored in memory. 

And herein lies the bogus assumption that makes trouble for so
many web sites.  Once the cookie leaves the server, the server
has no control over what happens to it.  It is unsafe to assume
that it will be discarded at any future point in time, or that
it will be returned intact (or at all, for that matter).  Doing
so means trusting the user and the client software to behave.

[snip]
As others have suggested the usual way is to intercept the HTTP stream before the cookie hits the browser. 

Actually, tools like Achilles or the @Stake proxy will allow you
to modify a browser's request on the way out, also.  Likewise, you
can roll your own cookie mangler with wget (might need sslproxy) or
the perl HTTP request module.

--Foofus.
Previous By Date Next
Previous By Thread Next

Current thread: