Jump to content

domain param in session_set_cookie_param()


Recommended Posts

hi there,

 

I bumped into the use of session_set_cookie_param() and was thinking about how to limit access for undesired users.

 

Besides lifetime, I thought it would be effective to set the domain param.

 

But how effective is this in real? Isn't it also possible to spoof domain names. (as a lot can be crafted ).

 

is there any evidence this can be done and if so how to avoid it? Like cloaking domains or so or is that exaggerating and time consuming?

Link to post
Share on other sites

What exactly are you trying to protect against? When you set the domain for a cookie then the browser will only use cookies for the domain you're on, it's not going to send cookies set for one domain to a different domain. So what exactly are you trying to protect against, what is the attack scenario?

Link to post
Share on other sites

To be honest I dont have a real 'attack scenario' . Sorry guys :sorry:.

 

I think as a programmer and not from the wrong side. I do that because I assume there are numerous attacks possible. I have been reading at OWASP; this offers obviously some standard procedures.

 

What exactly are you trying to protect against? When you set the domain for a cookie then the browser will only use cookies for the domain you're on, it's not going to send cookies set for one domain to a different domain. So what exactly are you trying to protect against, what is the attack scenario?

 

is it possible to simulate a domain name? Like for instance a virtual host or probably an ipadress with a crafted domain name? ( I know it's not possible) having the same name as the target and then make a cookie that hijacks a session?

or is this far-fetched?

Link to post
Share on other sites

You can build your own cookies for any domain you want, but when your browser contacts the site it's only going to send the cookies for that site (unless you've changed the code for your browser so that it sends other cookies, in which case you're only attacking yourself).

 

You can write PHP code to set the domain for any cookie also, so your site could create cookies that the browser will send to google.com or something, but that isn't going to result in any information leakage. Again, you're only attacking yourself.

 

If you're talking about setting up a server for google.com which browsers would send the cookies for that domain to, that's only going to work if you have control of the nameservers for a network, where you can route all traffic for a particular host to your own server. They wouldn't be able to reach the actual server though.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...