W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: spoofing cookies

From: Jonathan Stark <stark@truste.org>
Date: Mon, 6 Oct 1997 12:12:42 -0700 (PDT)
Message-Id: <199710061912.MAA04473@boa.commerce.net>
To: Keld J|rn Simonsen <keld@dkuug.dk>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4525
> I recently asked about how you could use cookies to make some
> lightweight security, and got the answer that cookies are easy to spoof
> and thus very insecure. You can just as a server ask for another servers
> cookie, and then you can spoof the original server. 
> My idea was that this kind of spoofing could be prevented, if
> the client stored the cookie with an identification of the server.
> Then to spoof you need to do IP spoofing, which can be done,
> but which is close to being criminal.
> Is that something to list in a "best practice" section somewhere?
> keld

This concept works well with static IP addresses, but totally 
breaks when you get a different dynamically allocated IP address the 
next time you dial into your ISP.  

The IP is different, but no spoofing has occured, and the cookie
is valid.

Received on Monday, 6 October 1997 12:39:18 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC