At 07:32 AM 6/13/02 -0700, Vuillemot, Ward W wrote: >I log into your web-site as memberA. You kindly leave me a delicious cookie >with my username stored in it. Maybe even my password (I hope not!). Now, >I know that another member, memberB, has special rights to your site. What >is stopping me from editting the cookie to memberB's username and hijacking >their account? <snip> >(Plus, the checksum ensures that one is tampering with the >cookie.)
You touched this subject in the next paragraph. You should always include a hash or checksum as part of your cookie value. And then validate this info on each request. This prevents the situation you described where you just change the cookie. Even if the cookie value is just a session id, it is nice to have the hash to make sure they just don't go changing their cookie, but not necessary if your session IDs are random. Drew ====================================================================== Drew Taylor | Freelance web development using http://www.drewtaylor.com/ | perl/mod_perl/MySQL/postgresql/DBI mailto:[EMAIL PROTECTED] | Email jobs at drewtaylor.com ---------------------------------------------------------------------- Speakeasy.net: A DSL provider with a clue. Sign up today. http://www.speakeasy.net/refer/29655 ======================================================================
