Re: Cookies and LWP and shopping sites
JP May (jpm@rootworks.com)
Mon, 27 Apr 1998 22:25:01 -0600
>Hi,
>
>it does appear easy to have LWP use cookies. For example, the following
>seems to add cookies to a request before making it:
>
>$cookie_jar = new HTTP::Cookies;
>
>$cookie_jar -> set_cookie(1, 'SESSION_ID', $user, '/',
>'.sell.net','80',0,0,10000); # A cookie that lives for 10,000 seconds ...
>
>$ua -> cookie_jar($cookie_jar);
>
>This cookie is then submitted in the request.
>
>A lot of shops out there use cookies in a fairly in-secure way to encode
>user-ids that are picked up on the next request to the store.
>
>What is to stop someone snooping them and using LWP to hijack user
>accounts? Or guessing userids ...
>
generally speaking "you" (ie, a server) can only get at any cookies which come from your domain name.
In other words, browsers are what stop you from snooping, I think.
Getting cookies is pretty simple business, if you have a little investigation WITHOUT using LWP, you'll get the idea.
Just put something like this in any cgi and print out the value
$cookiestuff = $ENV{HTTP_COOKIE};
You might have a routine like this to get 'your' cookie
$KNAME = 'happystore'; ...
sub getuserscookie
# get our store's cookie, return 0 if none
{
my $v = $ENV{HTTP_COOKIE};
if ($v =~ /$KNAME=(\d+)/)
{
$v = $1;
}
else
{
$v = 0;
}
return $v;
}
>Regards
>-------
>Richard Sharpe, sharpe@ns.aus.com, NIC-Handle:RJS96
>NS Computer Software and Services P/L,
>Ph: +61-8-8281-0063, FAX: +61-8-8250-2080,
>Linux, AIX, Digital UNIX, ULTRIX, SunOS, Samba, Apache, NetScape,
>StrongHold, Perl, C, PPP ...
* * * * *
Rootworks