...

View Full Version : Faking cookies



rhodopsin
11-06-2004, 04:49 PM
Imagine a web page. We shall call it Web page A. To view this web page A the user must have a cookie in their browser called "Camb". If they point their browser at web page A and they don't have this "Camb" cookie then they are redirected to an error page. If they do have the "Camb" cookie they are allowed to stay and view the content of web page A.
They can pick up this cookie if they visit web page B.

That is the viewer can only view web page A if they have been to web page B previously.

Is there anyway to cheat this system so that one can look at web page A without previously having been to web page B?

That is assuming disabling cookies is not an option.

Could the user maybe somehow put a cookie on their browser and call it "Camb"? Can cookies be faked like this? Is a cookie just a name and so can be faked so easily like this - just by putting a cookie with the same name on the browser? Or is there more to them?

Would so appreciate some help with this. Many thanks,

P.S I apoligise that this post may be a bit off topic for the forum- but it is related to javascript in a sense that javascript is the language of cookies.

kansel
11-06-2004, 05:27 PM
There are ways to make this work, but Javascript is not the solution. The easiest way to circumvent this javascript/cookie method is just to disable javascript.

And yes, a user could just put a cookie on their machine to spoof this system, but disabling javascript is easier.

If you really need this to work, you should look into a server-side language like PHP. PHP can read cookies and unlike javascript, the source code of PHP is hidden from the browser.

Basscyst
11-06-2004, 10:15 PM
You can spoof cookies? My understanding is that cookies can only be read by the domain that created them. . .In which case the name of the cookie is completly irrelevent when speaking outside the domain that "baked" it. I could be wrong but. . .

Basscyst

rhodopsin
11-06-2004, 10:22 PM
RE: "You can spoof cookies? My understanding is that cookies can only be read by the domain that created them. . .In which case the name of the cookie is completly irrelevent when speaking outside the domain that "baked" it. I could be wrong but. . ."

HOPE!! Is this correct? Am i getting excited over a wrong turn? I really hope that this paragraph is correct. CAn anyone verify/refute it?

thanks guys.

kansel
11-06-2004, 10:48 PM
As far as different domains are concerned, this is true. But a user can create their own cookies outisde or inside the browser.

Paste this in the address bar while browsing codingforums.com and the cookie will show up with codingforums.com as the domain.
javascript:void(document.cookie='cookieTest=1234')

To verify it created the cookie, use
javascript:alert(document.cookie)

Basscyst
11-06-2004, 11:01 PM
Ahh, indeed, hadn't thought about that. Tricky tricky. :D

Basscyst

Mr J
11-07-2004, 09:11 AM
I did something very similar to your request some months ago, maybe you can adapt it.

See the example at

www.huntingground.freeserve.co.uk/scripts/snav.htm

Scroll down to the cookie section and select History



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum