Re: spoofing cookies

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Richard Gray: "Re: Calculation of age headers"
• Previous message: Keld J|rn Simonsen: "Re: spoofing cookies"
• In reply to: Keld J|rn Simonsen: "spoofing cookies"

> 
> I recently asked about how you could use cookies to make some
> lightweight security, and got the answer that cookies are easy to spoof
> and thus very insecure. You can just as a server ask for another servers
> cookie, and then you can spoof the original server. 
> 
> My idea was that this kind of spoofing could be prevented, if
> the client stored the cookie with an identification of the server.
> Then to spoof you need to do IP spoofing, which can be done,
> but which is close to being criminal.
> 
> Is that something to list in a "best practice" section somewhere?
> 
> keld
> 

This concept works well with static IP addresses, but totally 
breaks when you get a different dynamically allocated IP address the 
next time you dial into your ISP.  

The IP is different, but no spoofing has occured, and the cookie
is valid.

Jonathan

• Next message: Richard Gray: "Re: Calculation of age headers"
• Previous message: Keld J|rn Simonsen: "Re: spoofing cookies"
• In reply to: Keld J|rn Simonsen: "spoofing cookies"