-
Soda_Popinsky - That was probably the 3rd issue of that nature I've run into on AO, and I'm quite happy to say I haven't run into any more since then ;)
Anyways, Irongeek, the goal of stealing the cookie is to get the unique session id. With someone's session id, you essentially are them. A quick look into web authentication at its simpler form reveals:
- User types in username/password into a form -> submits
- Website returns SessionID so the password isn't exchanged more than it needs to be
- SessionID is used to authenticate user since HTTP is session-less
Thus, once you have the SessionID (which is usually a random string of some sort stored in the cookie) you should be able to pose as someone. But, when the user logs out of the messageboard, the messageboard no longer associates that sessionid with that user. When you say you are getting the cookie that stores the Username/Password, that is just the "remember this user" cookie thing. It has little to do with sessionIDs.
For your experiment to work, you need to log in, and then "steal" your sessionID. Get the other computer to use that sessionID, and it *should* work as you intended.
So, for those wanting to protect yourself against getting your sessionID stolen, remember to log out. There are a few websites out there that use static session IDs that are the same, so that you don't acturally have to wait until someone logs in to hijack it, but as far as I've seen most major webmail and messageboards use dynamic sessionIDs that expire and change after a certain amount of time.
