W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: spoofing cookies

From: Jonathan Stark <stark@truste.org>
Date: Mon, 6 Oct 1997 12:12:42 -0700 (PDT)
Message-Id: <199710061912.MAA04473@boa.commerce.net>
To: Keld J|rn Simonsen <keld@dkuug.dk>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> 
> I recently asked about how you could use cookies to make some
> lightweight security, and got the answer that cookies are easy to spoof
> and thus very insecure. You can just as a server ask for another servers
> cookie, and then you can spoof the original server. 
> 
> My idea was that this kind of spoofing could be prevented, if
> the client stored the cookie with an identification of the server.
> Then to spoof you need to do IP spoofing, which can be done,
> but which is close to being criminal.
> 
> Is that something to list in a "best practice" section somewhere?
> 
> keld
> 

This concept works well with static IP addresses, but totally 
breaks when you get a different dynamically allocated IP address the 
next time you dial into your ISP.  

The IP is different, but no spoofing has occured, and the cookie
is valid.

Jonathan
Received on Monday, 6 October 1997 12:39:18 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:01 EDT