[3774] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (Edwin Ng)
Wed Dec 11 13:23:42 1996
Date: Thu, 12 Dec 1996 00:24:51 +0800 (GMT+0800)
From: Edwin Ng <durian@cyberweb.com.my>
To: www-security@ns2.rutgers.edu
In-Reply-To: <19961209010644046.AAA172@p12.pm-3.escot.co.jp>
Errors-To: owner-www-security@ns2.rutgers.edu
Hi,
If the service provider's server stores your password in your cookie file,
then you should stop using its services. Storing login passwords in a
cookie file is a big security risk. I still firmly believe typing in the
password and login name over and over again. A little hassle but better
than putting it in cookie file for all to see and take, and for another
user to login to your account.
Just my 2 cents worth
On Mon, 9 Dec 1996, Darren Cook wrote:
> I was at a computer user club meeting last week, and there was a lively
> discussion about cookies, mostly people asking how to switch them off, find
> out where the cookies were stored on disk so they could delete them, etc.
> People regarded them as a danger on a par with viruses.
>
> A cookie only stores something put there by the server. The server cannot
> read anything from your hard disk that is not a cookie. So the only danger
> is of the server wasting your disk space (most cookies are only a few bytes,
> but I suppose a nasty server could send a 1Gb cookie if it wanted?).
>
> But then I started thinking of this scenario (assume not using SSL, S-HTTP,
> etc.)
>
> Client A: has an account on server B, which is charging him. He accesses his
> account with a name and password.
>
> Server B: stores a cookie on client A's machine, with name and password, to
> save the user having to type his name and password in each time (*).
>
> Server C: first pretends to be server B, and gets the cookie from client A.
> It then pretends to be client A, and logs on to server B.
>
> Is this possible?
> I believe a machine can pretend to have another IP address can't it?
>
> Darren
>
> *: I realize this means anyone can sit at client A and use that account. But
> that is a seperate issue.
>
>
Regards.
---
Edwin Ng | Mobile : +60 16 223 3761
Lasercorp Sdn Bhd / | Phone : +60 3 732 9323
Cyberweb Associates | Fax : +60 3 732 9322
15G Jalan SS15/8B | E-mail : durian@cyberweb.com.my
Subang Jaya |
47500 Petaling Jaya |
Selangor |
Malaysia |
