[2423] in WWW Security List Archive
Re: Smart Fine Print
daemon@ATHENA.MIT.EDU (Micah Brandon)
Wed Jul 17 06:50:18 1996
From: Micah Brandon <brandon@eniac.vv.com>
To: lensmith@mta-usa.org
Date: Mon, 15 Jul 1996 00:18:00 -0400 (EDT)
Cc: risopoul@informatik.uni-hamburg.de, www-security@ns2.rutgers.edu
In-Reply-To: <199607110538.WAA23551@desiree.teleport.com> from "Leonard H. Smith" at Jul 10, 96 10:38:12 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> The level of parinoia here is interesting.
>
> I think the real question is: what methods are used to access the client
> computer's cookies and what restrictions are there? What information
This is fairly easy to answer. I've been watching these messages
pass back and forth about cookies and I'm finally going to throw in my
2 cents.
The only way to access a cookie is by looking at the HTTP_COOKIE
environment variable. CGI programs may do this. HOWEVER, the only way
a cookie gets there is if the browser puts it there. A CGI program can not
"go out and get" a browser's cookies. It would be more correct to say that
the browser gives the cookies to the CGI.
When does it give them out? There are several things that must
match before a browser gives out its cookies. I'm not looking at the spec
right now so I might miss a few things (no flames please! :) The domain
must match the domain in the cookie. Further, if the CGI that placed the
cookie there was in a specific directory, then this must match as well.
Also, if the cookie has a 'secure' flag on it, then an additional condition
is the presence of SSL. In other words, the browser must be communicating
in 'secure' SSL mode before it will send the cookie.
So. If some hacker out there wanted to force a browser to send
a certain cookie, he would have to forge the domain, the directory the
CGI was called from and perhaps be on a Netscape Commerce Server as well...
Oh, and lets not forget that he would have to decipher the cookie itself.
I've seen some pretty crazy looking cookies out there...They are usually
meaningless by themselves. You'd have to have access to a database, or
some other server to actually make sense of them.
The programs I've written store the minimum amount of information
necessary (in the cookie) to tell one browser from another. The rest is
in a database on my server. The cookie would be useless out of this
context.
> is stored in cookies and how is that information generated? Another
> question revolves around creative
The cookie information is generated by a CGI program that sends
to the browser a header. That header being: Set-Cookie: cookie=1
The cookie can not be greater than about 4k...
> variations on the theme....what method variations are possible?
>
Well, the only other way I can think of other than looking at
the HTTP_COOKIE variable (and meeting all the other requirements I
mentioned above) is to get access to the individual's machine and copy
that cookie.txt file. After all, it ain't encrypted.
--
Micah Brandon
System Administrator - vv.com
brandon@vv.com
