Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Dangers of Improper Cookie Use

Posted by CmdrTaco on

shifted89 writes "Over the last year, the security community have exposed web application security for what it is — extremely lacking. However, for all the focus on XSS, CSRF, history stealing, etc., not much attention has been given to the cookie. Unfortunately, cookie misuse can be just as dangerous, if not more so than XSS attacks and InformIT illustrates why. In short, the author clearly demonstrates what can happen when a website improperly uses cookies for customer tracking — including a working illustration."

7 of 191 comments (clear)

  1. practical, perhaps? by fermion · · Score: 4, Insightful
    I was going to read the article until the 5th cookie was set at which point i just assumed that the entire thing was an practical lesson. Be stupid enough to read an article about cookie abuse and get caught in the trap. Sort of like trying to find a windows virus filter only to find that the virus filter has infected you.

    Oh well, I guess this is just another lesson in how marketers will shoot themselves in the foot. Animated gifs are abused, so i turn animation off. Cookies are abused, so i reject any cookie that is not obviously necessary. Flash is useful, but no way to request that it does not start automatically, so either I don't install it or install a hack to block it. I don't even see the product that is being advertised.

    I hope this gets everyone off thier high horse, and realize that third party cookies should be rejected on all machines by default. What I really wish existed was a screen that popped up every time you went to a new site that informed the user of the site, and asked for a cookie preference for that site. That way, all cookies could be accepted at the corporate site, and no cookies might be accepted at google.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  2. How old is this article? by Dekortage · · Score: 5, Insightful

    It says "updated Dec 15, 2006" but the comments at the end of the article are all dated from 2004. I mean, the problem is much older than that, but it seems the article was just updated with 2006 dates to make it seem more current. Or am I missing something?

    --
    $nice = $webHosting + $domainNames + $sslCerts
  3. Cookie on cookie misuse link by blindcoder · · Score: 4, Insightful

    I like how the first thing the 'cookie misuse' site is doing is trying to do is to set a cookie. The 'why' remains unknown.
    Other things they do is prohibit tabbed browsing by using javascript to open an image from a thumbnail to a new window. Can someone please send these guys to a usability crash-course?

    --
    See my blog for my free opinions.
    1. Re:Cookie on cookie misuse link by grcumb · · Score: 4, Insightful
      care to enlighten us on the correct way [to open a new window from HTML] or do you intend to let us die dumb?

      The correct way is - and always has been - to leave that to the user. Useability studies have shown time and again that new windows popping open unannounced are unwelcome, even frightening to many computer users. And the quickest way to piss off power users like me is to presume to know better than I how your site should be displayed.

      This behaviour is another legacy of assuming that the entire world browses with certain versions of MSIE. The only reasonable way in that browser to keep track of multiple sites was to open links in new windows. But even then, such presumption was unwelcome to most people, even many IE users.

      The only remaining (valid) use of the target attribute is in a frameset, and that monstrousity is not needed any more, what with the moderately decent CSS positioning support that is present in all modern browsers.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  4. Re:cookies passed as plaintext by Xzzy · · Score: 5, Insightful

    bingo. that's why i store the IP address along with the session ID in the database.

    There was a merchant site that I visited quite some time ago that did something like this. Except they screwed it up and, along with putting the session ID in the URL, they "automatically" tied the session id with account information. The effect this had was that anyone who visited a copied URL would pull up the account information of the person who had spread the URL around.

    It took some time to figure it out. The URL was posted on a fairly busy forum, and it was a fairly fast selling item, and 50+ people had used the link to try and make a purchase.. and every time someone checked out, the account was updated with their information.

    I'm not sure what the lesson here is, other than the fact that any "safe practice" can become insecure in the hands of idiots. Cookies aren't an inherently stupid idea, but the ease of using them invites a lot of abuses.

  5. Re:Cookies? Javascript? Etc? by Kelson · · Score: 4, Insightful
    I disable them all because I hate any innovation of the web past 1991.

    Hmm. Animated GIFs? Check. Blink? Check. Scrolling status bar? Check. Background MIDI files? Check. Pop-ups? Check. Flash ads with full video and sound? Check. Garish color schemes? Double-check.

    I think you're on to something!

  6. Re:Cookies? Javascript? Etc? by BLACKtactx · · Score: 4, Insightful

    Do you count CSS as an innovation??. If so, i have to disagree with you. Wouldn't it be better to word it "I hate any innovation that annoys me", instead of a blanket "any" innovation. Or maybe I should just develop all my sites in size 15 font, using framesets, in times new roman, and 16 colours. Innovation in itself is not bad, innovation for the sake of it is. The misuse of tehcnology cannot also be blamed on the technology itself but the dumb people who develop. I find javascript incredibly useful to improve my ui, some people decide to make yellow scrolling text on a magenta background, thats not javascripts issue. Dont shoot the messenger. Better go, my brick cell phone is ringing, and Im missing Magnum PI reruns.