Software, your way.
burger menu icon
WillMaster

WillMaster > LibrarySecurity and Blocking

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Cookie Spoofing and Security

It's easy to spoof a cookie. Did you know that?

A Firefox extension lets a person type in their own cookie. A PHP or Perl CGI script, and probably other server-side scripts, can send any cookie to remote websites. Although I don't use Chrome very much, it has so many built-in development tools I wouldn't be at all surprised if it enabled spoofing of cookies right at the user interface.

Cookies are easy to spoof because of this one simple and obvious fact:

Cookies are stored with the browser or whatever software is accessing the website.

Because they're readily available, cookies can be deleted, cookie data can be changed, and cookies can be created to work with a website without first visiting that website.

So, with all that possible spoofing, how can a membership site (as an example) keep its pages secure?

There are several levels of security. A good choice is a balance between user convenience and the value of the data in the membership site or the potential damage if unauthorized access were accomplished. (This article uses the idea of a membership site as an example of something that requires a cookie for access.)

Let's address data value and potential damage, first.

If your membership site provides up-to-the-second information regarding the location of undercover police officers, you'll want the best security available — regardless how much authorized users are inconvenienced.

On the other hand, if your membership contains only information of little interest to those outside the niche you're operating in, the required security may be less. You worked hard gathering the information, and it's valuable information. But if a break-in is unlikely to harm others, less security may enhance member convenience without much additional risk.

Spoofing a cookie requires knowing the cookie name and, generally, valid cookie data.

There are a number of surreptitious ways to get cookie names, from intercepting data packets to simply buying a membership, getting the required information, and requesting a refund. How easy it is to obtain valid cookie data depends on the level of security.

There are three broad levels of cookie security.

Cookie Security Level One

This level is the least secure, the easiest to spoof.

The cookie is composed of a name and a simple value. Perhaps the value is the member's name or ID.

Any name or ID can be used as a value, so long as the format is what the software on the server looks for. A browser or robot presenting a cookie with a value present obtains access to the membership area.

Once the cookie is successfully spoofed, the cracker has permanent access to the members area — unless the software on the server is upgraded, perhaps for better cookie security or just to change the cookie name.

This level of cookie security may be acceptable for member areas with information of little or no consequence or for temporary member areas perhaps used for testing or demonstration.

Cookie Security Level Two

This level is more secure because, while it doesn't prevent spoofing, it does validate the cookies with each member page request. When a member page is requested, the database is consulted to verify the member exists and is in good standing.

(This is somewhat similar to how PHP $_SESSION variables work, except $_SESSION variables keep access authorization data in separate files on the server and generally don't have access to other membership data.)

The cookie value is an encrypted key and may contain other information essential to validating the key itself. The software uses the encrypted key to look up the member record. The member record contains the data to validate the cookie.

Cookie Security Level Three

This level is highly secure. Every time a cookie is used to access a member page, the cookie's encrypted key value is changed. The next time the browser requests a page, the browser must identify itself as the same browser that accessed the previous page and it must provide the most recently issued cookie value.

As a reader suggested, IP identification might also be used. Especially when the IP addresses are known in advance and, for example, access is limited to connections from within a certain company. Otherwise, IP identification isn't a viable method. Some ISPs change users' IP addresses with every request for a web page.

The cookie is virtually impossible to spoof. The cracker would have to be very, very lucky. Even then, the real member logging in would invalidate the cracker's cookie and they would have to be very, very lucky all over again to repeat the feat.

But there's a downside. Every time a member logs in, they're kicked off any other browsers they previously used to log in.

Members who use only one browser wouldn't be inconvenienced. But those who use more than one, perhaps a desktop browser at the office and a tablet or phone at home or a laptop while traveling, would need to re-log in every time they switch browsers.

The Three Cookie Security Levels

The above three cookie security levels are of necessity broadly described. Detailed instructions for one type of site would be incorrect for another.

For cookie-setting instructions using various languages and for various purposes, type "setting cookie" (no quotes) into the search box at the top of this page.

If you learned something here and want to share this article, click or tap the handy link in the box on the right. In a couple clicks and less than half a minute of your time, you will make it possible for your followers to learn how to protect themselves from cookie spoofing.

(This article first appeared in Possibilities ezine.)

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC