Cookie Poisoning

I wanted to talk a little bit more about Cookie Poisoning as it is something that a lot of people seem to be interested in. Basically, a cookie saves information on the client's machines that websites want to store. Typically, they would store a session id - essentially a unique identifier.

A typical Amazon Cookie.

Cookies can store other information as well. "Other information" may be as harmless as a user name that your favorite website remembers so you don't have it type it in every time you login. It can also be non-trivial like an account number, shopping cart total, social security number and any other personal information. I wish this wasn't the case, but I'm sure there are some websites that do this. The problem does not stop here. Anyone can edit a cookie and change their shopping cart total. Who wouldn't want to buy a brand new TV for a hundred bucks? Wouldn't you also get the store warranty that they always try to sell you but no one buys?

How to edit cookies? Download and install Add N Edit Cookies (a Firefox Add-on).

There are a number of ways to protect yourselves from this vulnerability.

• Do not save sensitive information in cookies.
• Try to utilize server side sessions where possible.
  
• Encrypt your cookie data.
  
• Set an expiration that makes sense.

Note that cookie security should entail using SSL for your website AND encrypting the data in your cookie. If your site transmits any personal information, securing your site with SSL is a must. Packet sniffers can pick up cookie data in plain sight. Furthermore, anyone that has access to your local hard drive can view cookie data. Secure your data using strong encryption!