Printable View
I’m testing out how cookie stealing works by copying my own cookies from IE (I use Mozilla, but IE is easy to test this with). Specifically, I’m taking the cookie that phpBB uses to store my password in, copying it to another machine, renaming it to match the Windows account I’m logged in under and seeing if it lets me authenticate to my own site. So far it does not, and I guess that’s a good thing, but my question is why does the above method not work?
You need to export and import the cookies. Then it *should* work.
Opps, I think I made another mistake. I choose the wrong cookie, the one I have may not have the login information in it. Thanks for the pointer Phish.
Dag Nab It.....think your stealing a chocolet chip and get an oatmeal cookie instead.
(sorry, just couldn't resist that......heh heh heh)
Who took the cookies from the cookie jar?
Moxnix took the cookies from the cookie jar.
Moxnix: Who me?
AO: Yes you.
Moxnix: Couldn't be.
AO: Then who?
.......................
Uh... time for bed. My brain is officially fried...
12hrs in a classroom will do it.
8hrs in a upgrading admin skills from 2k server to 2k3 server workshop and then another 4hrs doing boolean algebra. ouch...
If you two keep up the bad jokes I think I’m going to be sick and lose my cookies. :)
Hey now! Watch where you're tossing those cookies...
Back to the subject: I did some playing around. What if all you have is a cookie file and can not get to the computer to do the export (as an attacker may not be able to do)? Is there a way if all they have is the cookie file?
I'm not all that good with web security yet. (I'm still learning)
I beleive that there are a couple of vulnerabilities in different web browsers that allowed an attacker to steal cookies. Google has come up with a couple of them.
Or, I know that an attacker can sniff your cookies and then play them back to the server.
Sorry, thats out of my scope. I've got a lot to learn about web security. I don't run webservers... so its always been a low priority for me. :(
Thats XSS (cross site scripting) bro! Go check it out...
AO was vulnerable to that a month or 3 ago... Like every CMS and forum software has been vulnerable to it at least once.