W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: spoofing cookies

From: Keld J|rn Simonsen <keld@dkuug.dk>
Date: Mon, 6 Oct 1997 21:22:58 +0200
Message-Id: <199710061923.VAA28037@dkuug.dk>
To: stark@truste.org
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Jonathan Stark writes:

> > 
> > I recently asked about how you could use cookies to make some
> > lightweight security, and got the answer that cookies are easy to spoof
> > and thus very insecure. You can just as a server ask for another servers
> > cookie, and then you can spoof the original server. 
> > 
> > My idea was that this kind of spoofing could be prevented, if
> > the client stored the cookie with an identification of the server.
> > Then to spoof you need to do IP spoofing, which can be done,
> > but which is close to being criminal.
> > 
> > Is that something to list in a "best practice" section somewhere?
> > 
> > keld
> > 
> 
> This concept works well with static IP addresses, but totally 
> breaks when you get a different dynamically allocated IP address the 
> next time you dial into your ISP.  
> 
> The IP is different, but no spoofing has occured, and the cookie
> is valid.

You mean the client IP address? I was only thinking on having
the server IP name recorded together with the cookie, 
and then the client could make a reverse DNS lookup to locate
the cookie. Hmm, maybe it does not work for proxies...
Then you could do something relevant to the DNS part of the url
that has been issued...

Keld
Received on Monday, 6 October 1997 12:25:37 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:01 EDT