domain param in session_set_cookie_param()

[Balderick]

hi there,

 

I bumped into the use of session_set_cookie_param() and was thinking about how to limit access for undesired users.

 

Besides lifetime, I thought it would be effective to set the domain param.

 

But how effective is this in real? Isn't it also possible to spoof domain names. (as a lot can be crafted ).

 

is there any evidence this can be done and if so how to avoid it? Like cloaking domains or so or is that exaggerating and time consuming?

[justsomeguy]

What exactly are you trying to protect against? When you set the domain for a cookie then the browser will only use cookies for the domain you're on, it's not going to send cookies set for one domain to a different domain. So what exactly are you trying to protect against, what is the attack scenario?

[Balderick]

To be honest I dont have a real 'attack scenario' . Sorry guys .

 

I think as a programmer and not from the wrong side. I do that because I assume there are numerous attacks possible. I have been reading at OWASP; this offers obviously some standard procedures.

 

What exactly are you trying to protect against? When you set the domain for a cookie then the browser will only use cookies for the domain you're on, it's not going to send cookies set for one domain to a different domain. So what exactly are you trying to protect against, what is the attack scenario?

 

is it possible to simulate a domain name? Like for instance a virtual host or probably an ipadress with a crafted domain name? ( I know it's not possible) having the same name as the target and then make a cookie that hijacks a session?

or is this far-fetched?

[justsomeguy]

You can build your own cookies for any domain you want, but when your browser contacts the site it's only going to send the cookies for that site (unless you've changed the code for your browser so that it sends other cookies, in which case you're only attacking yourself).

 

You can write PHP code to set the domain for any cookie also, so your site could create cookies that the browser will send to google.com or something, but that isn't going to result in any information leakage. Again, you're only attacking yourself.

 

If you're talking about setting up a server for google.com which browsers would send the cookies for that domain to, that's only going to work if you have control of the nameservers for a network, where you can route all traffic for a particular host to your own server. They wouldn't be able to reach the actual server though.