We have an application that among other things, checks the existence of a cookie and reads and decrypts the contents of the cookie. Though the data stored inside the cookie is not sensitive, it has been encrypted via TripleDes encryption. A question was raised today whether the cookie saved on a single PC, could be copied on to another PC and whether the web application would detect the presence of this copied cookie on another machine, and ultimately decrypt what it would have on the original PC.
My question is this: We use the standard ASP.NET implementation to save cookies (i.e via HttpResponse), does the index.dat file prevent the transplant of a cookie from one machine to the other? What if the index.dat file was also transported and copied over, or is there some internal structure inside index.dat that ties a cookie to a specific machine?
Yes, If you copy the cookies from the source machine and save in another system, you will be logged in to your gmail account. In case the session is expired in the source machine, then these cookies are of no use.
Copy all cookies used in the current tab to the clipboard. This extension can be called by the shortcut key "Ctrl+Shift+K". It works as like as the export feature of the EditThisCookie (http://editthiscookie.com/). The copied cookie objects can be used by puppeteer (https://github.com/puppeteer/puppeteer).
Yes, stealing cookies is a common technique to steal a session from a user.
Some sites try to bind a cookie to the IP of the client, but this fails in the face of big corporate proxies with multiple out-bound interfaces or other non-residental setups.
Absolutely. This is one way that cross-site scripting (XSS) attacks work:
This particular issue bit SO during the private beta.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With