|
WebApp Sec
mailing list archives
Re: Unable to impersonate another user although having its cookie
From: pUm <hijacka () googlemail com>
Date: Wed, 1 Jul 2009 15:00:49 +0100
just a gues,
but try to fake the user agent. something in the http header must be
part of the cookie auth. so try them all and then reduce. My guess is
that it is the user-agent
2009/7/1 Juan Kinunt <kinunt () gmail com>:
Hi,
I'm auditing a web application programmed in CakePHP and I'm having a problem.
I'm almost sure the authentication mechanism is carried by a cookie
but I'm unable to impersonate another user using its cookie.
The probe I do is opening two sessions with two different users (one
in internet explorer and one in firefox). Then I copy the cookie
belonging to one user and substitute it in a request done by the other
user (using WebScarab). The app throws and error and disconnects the
validated and legal user.
I think that some info is stored in server side about the client who
owns each cookie.
Is this possible? Is it the normal operation in sessions in CakePHP?
Any info or pointer would be very useful.
Thanks.
 By Date 
By Thread
Current thread:
| 
Intro
