• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

stealing someones cookies

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
eeps24
Just Arrived
Just Arrived


Joined: 04 Dec 2004
Posts: 0


Offline

PostPosted: Sun May 08, 2005 1:39 am    Post subject: stealing someones cookies Reply with quote

im not sure where this topic should be Embarassed so i just posted it here....



my question is.........lets say "frank" has a computer, he vists all kinds of sites that he buys things from, etc, he goes to sites and has his user name and password saved so he doesnt have to enter them..........if "dave" went to franks computer, physicaly or logically which ever, and copied and pasted franks cookies into daves computer, will dave have all of franks, username , pwd's, etc saved into daves computer?......... i always wondered about this
Back to top
View user's profile Send private message
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Sun May 08, 2005 1:59 am    Post subject: Reply with quote

This depends upon how cookies are being used by the website which uses them - cookies are small pieces of information stored by webservers on your computer, varying from advertisers tracking your preferences to tokens used to remember your login status for an online retailer. For more information about cookies, howstuffworks.com has quite a good explanation of them here.

Cookies store name-value pairs - as you may know (will know, if you've visited the URL above Razz) for items such as User IDs - any sensible web application will, when it stores a user ID in a name-value pair as part of a cookie on your system, store information about this in a database on the server along with your IP address. Some webmail systems will give you the option to restrict login by IP address or not; unfortunately, a lot of applications don't appear to do this, but most webmail systems should.

Login information for different systems online will really depend upon how the application has been coded; again, any sensible application author will take this into account and save state to the database, but there are plenty of applications (either by omission or design) which don't.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
icujc
Just Arrived
Just Arrived


Joined: 21 Apr 2005
Posts: 2


Offline

PostPosted: Sun May 08, 2005 2:37 am    Post subject: Reply with quote

Quote:
Some webmail systems will give you the option to restrict login by IP address or not; unfortunately, a lot of applications don't appear to do this, but most webmail systems should.


Not so sure this would be a plausible solution with most users receiving a new IP address via DHCP from their ISPs every few days or so. For those that are lucky enough to have static IPs this would be a very good choice, but I would have to say that is only a selected few who either pay extra to their ISP or have found an ISP that uses static IP address assignments.
Back to top
View user's profile Send private message
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Sun May 08, 2005 2:42 am    Post subject: Reply with quote

Quote:

Not so sure this would be a plausible solution with most users receiving a new IP address via DHCP from their ISPs every few days or so. For those that are lucky enough to have static IPs this would be a very good choice, but I would have to say that is only a selected few who either pay extra to their ISP or have found an ISP that uses static IP address assignments.


Even more reason not to use cookies at all and rely on password-based authentication and a php session or temporary cookie for the duration of the transaction! Very Happy
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register