• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 9. You've Got Some Email in My W... > Authentication and Authorization wit...

Authentication and Authorization with Cookies

Web-based applications are known as stateless, which means the server doesn't remember who you are from one page to the next. To allow the server to remember you, one technique that's often used is a cookie, which is like getting a number at a coat check. When you come back, you show the attendant the number so that he “remembers” who you are and gives your coat back. Similarly, the application gives you a cookie, or small text file, that your browser sends back when you go to the next page, allowing the server to “remember” you and display your data. However, when the information stored in a cookie can be easily deciphered, it can allow an attacker to impersonate other users.

Case Study 9-7

Charlie was a self-professed hacker. He didn't know a lot about hacking, but he knew a few tricks and tried them out from time to time. While using his Web-based email system, he noticed the Web site was returning a cookie with the value admin=N. Charlie changed the N to a Y and went to his email account. To his amazement, new menus were now available in the application. Within a few minutes, Charlie realized he had access to thousands of email accounts.



PREVIEW

                                                                          

Not a subscriber?

Start A Free Trial


  
  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint