Re: Unable to impersonate another user although having its cookie

[Irene Abezgauz <irene.abezgauz () gmail com>]

Juan,

A few questions to direct this -

1. are there any parameters in the request itself that are not the
cookie and can be suspected as client/session identifiers?  (either in
the body of a POST or as part of the URL in a GET)?
2. are you trying to execute a similar request? is there a chance you
are failing not due to the cookie but due to lack of other parameters
(such as an anti-csrf token)?
3. is it http or https traffic? I've encountered applications that
make the connection between the ssl session and the application
session.

each of the above can be a direction of why it's not working for you.
answering one or more of those can help direct to the problem.

Irene

On Wed, Jul 1, 2009 at 1:14 PM, Juan Kinunt <kinunt () gmail com> wrote:
> Hi,
>
> I'm auditing a web application programmed in CakePHP and I'm having a problem.
> I'm almost sure the authentication mechanism is carried by a cookie
> but I'm unable to impersonate another user using its cookie.
> The probe I do is opening two sessions with two different users (one
> in internet explorer and one in firefox). Then I copy the cookie
> belonging to one user and substitute it in a request done by the other
> user (using WebScarab). The app throws and error and disconnects the
> validated and legal user.
> I think that some info is stored in server side about the client who
> owns each cookie.
>
> Is this possible? Is it the normal operation in sessions in CakePHP?
>
> Any info or pointer would be very useful.
>
> Thanks.