Gossamer Forum: General: Internet Technologies: non-persistent cookies and web security

Mar 9, 2003, 9:09 AM

hennagaijin

User (425 posts)

Mar 9, 2003, 9:09 AM

Post #1 of 3

Shortcut

non-persistent cookies and web security

I'm trying to learn more about the difference between persistent and non-persistent cookies. As far as I can tell, it appears that persistent cookies are stored as text files on the user's hard drive, while non-persistent cookies are stored in the user's RAM as part of the browser process (?).

Is that assessment accurate? If so, it seems like it would be relatively easy to forge a persistent cookie, but rather difficult (if not nearly impossible) to forge a non-persistent cookie.

Ultimately I'm trying to figure out what security risks are associated with using non-persistent cookies for user authentication.

Thanks for any advice or suggestions.

Fractured Atlas :: Liberate the Artist
Services: Healthcare, Fiscal Sponsorship, Marketing, Education, The Emerging Artists Fund

Mar 9, 2003, 9:34 AM

Paul

Veteran (19537 posts)

Mar 9, 2003, 9:34 AM

Post #2 of 3

Shortcut

Re: [hennagaijin] non-persistent cookies and web security In reply to

AFAIK any type of cookie can be faked. The script you are tricking won't know whether the cookie is persistant or not, it will most likely just be checking for a cookie value or that the cookie exists and so I could just post something like:

Code:
use HTTP::Cookies; 
use LWP::UserAgent; 

my $ua = LWP::UserAgent->new( agent => 'Foo/1.0', timeout => 30 ); 
my $jar = HTTP::Cookies->new(); 

$jar->set_cookie( ... ); 
$ua->cookie_jar( $jar );

Mar 9, 2003, 10:08 AM

hennagaijin

User (425 posts)

Mar 9, 2003, 10:08 AM

Post #3 of 3

Shortcut

Re: [Paul] non-persistent cookies and web security In reply to

That's a good point that hadn't occured to me for some reason. Thanks.

Fractured Atlas :: Liberate the Artist
Services: Healthcare, Fiscal Sponsorship, Marketing, Education, The Emerging Artists Fund