WebApp Sec: Unable to impersonate another user although having its cookie

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Unable to impersonate another user although having its cookie

From: Juan Kinunt <kinunt () gmail com>
Date: Wed, 1 Jul 2009 12:14:36 +0200

Hi,

I'm auditing a web application programmed in CakePHP and I'm having a problem.
I'm almost sure the authentication mechanism is carried by a cookie
but I'm unable to impersonate another user using its cookie.
The probe I do is opening two sessions with two different users (one
in internet explorer and one in firefox). Then I copy the cookie
belonging to one user and substitute it in a request done by the other
user (using WebScarab). The app throws and error and disconnects the
validated and legal user.
I think that some info is stored in server side about the client who
owns each cookie.

Is this possible? Is it the normal operation in sessions in CakePHP?

Any info or pointer would be very useful.

Thanks.

By Date By Thread

Current thread:

Unable to impersonate another user although having its cookie Juan Kinunt (Jul 01)
- Re: Unable to impersonate another user although having its cookie pUm (Jul 01)
  - Re: Unable to impersonate another user although having its cookie Brad Causey (Jul 01)
  - Re: Unable to impersonate another user although having its cookie jay . tomas (Jul 01)
    - Re: Unable to impersonate another user although having its cookie Christopher Firth (Jul 01)
    - Message not available
    - Re: Unable to impersonate another user although having its cookie jay . tomas (Jul 01)