[3747] in WWW Security List Archive
Cookie question
daemon@ATHENA.MIT.EDU (Darren Cook)
Sun Dec 8 22:45:40 1996
To: www-security@ns2.rutgers.edu
From: darren@factcomm.co.jp (Darren Cook)
Date: Mon, 9 Dec 1996 10:06:45 +0900
Errors-To: owner-www-security@ns2.rutgers.edu
I was at a computer user club meeting last week, and there was a lively
discussion about cookies, mostly people asking how to switch them off, find
out where the cookies were stored on disk so they could delete them, etc.
People regarded them as a danger on a par with viruses.
A cookie only stores something put there by the server. The server cannot
read anything from your hard disk that is not a cookie. So the only danger
is of the server wasting your disk space (most cookies are only a few bytes,
but I suppose a nasty server could send a 1Gb cookie if it wanted?).
But then I started thinking of this scenario (assume not using SSL, S-HTTP,
etc.)
Client A: has an account on server B, which is charging him. He accesses his
account with a name and password.
Server B: stores a cookie on client A's machine, with name and password, to
save the user having to type his name and password in each time (*).
Server C: first pretends to be server B, and gets the cookie from client A.
It then pretends to be client A, and logs on to server B.
Is this possible?
I believe a machine can pretend to have another IP address can't it?
Darren
*: I realize this means anyone can sit at client A and use that account. But
that is a seperate issue.
