cookies security tidbit

[Art]

While doing some searching on the subject of buffer overrun
vulnerabilities/exploits, I noticed that so-called "poisoned cookies"
are sometimes used. That reminded me of a ancient trick we used
play with Netscape where we would make cookies.txt a read-only
file. The idea is to first get that file the way you want it. In my
case, the only cookie I need is one from my mutual fund.

The procedure for Firefox I used is:
1. Tools - Options - Privacy - Cookies tab
2. Delete cookies
3. Uncheck "Allow sites to Set Cookies"
4. Select "Exceptions"
5. Enter the url and select "Allow"
6. Go to the url to set the cookie

To make sure no malicious web site can alter your cookies.txt
file, locate it using Windows Explorer and click on "Properties".
Check "Read Only". While you're at it, you can view it in Notepad
to verify that only the cookie(s) you want are included, and no
others. You may have some problem locating the folder that the
particular cookies.txt file that's active for FF is in. It will be in
some .... \Firefox\Profiles\xxxxxxxx.default
where xxxxxxxx are eight random characters. FF seems to
create multiple starting paths on the NT based OS to allow for
the various ways you can log in. So that, plus the fact that
you may have other cookies.txt files besides the ones for
FF can make it a bit difficult to track down the particular active
FF cookies.txt file. So be careful to check and verify.

Art
http://home.epix.net/~artnpeg

 

[me]

While doing some searching on the subject of buffer overrun
vulnerabilities/exploits, I noticed that so-called
"poisoned cookies" are sometimes used. That reminded me of
a ancient trick we used play with Netscape where we would
make cookies.txt a read-only file. The idea is to first get
that file the way you want it. In my case, the only cookie
I need is one from my mutual fund.

The procedure for Firefox I used is:
1. Tools - Options - Privacy - Cookies tab
2. Delete cookies
3. Uncheck "Allow sites to Set Cookies"
4. Select "Exceptions"
5. Enter the url and select "Allow"
6. Go to the url to set the cookie

To make sure no malicious web site can alter your
cookies.txt file, locate it using Windows Explorer and
click on "Properties". Check "Read Only". While you're at
it, you can view it in Notepad to verify that only the
cookie(s) you want are included, and no others. You may
have some problem locating the folder that the particular
cookies.txt file that's active for FF is in. It will be in
some .... \Firefox\Profiles\xxxxxxxx.default
where xxxxxxxx are eight random characters. FF seems to
create multiple starting paths on the NT based OS to allow
for the various ways you can log in. So that, plus the fact
that you may have other cookies.txt files besides the ones
for FF can make it a bit difficult to track down the
particular active FF cookies.txt file. So be careful to
check and verify.

Art
http://home.epix.net/~artnpeg

Art,

Making FF cookie et al files RO may lead to a performance hit.
Take a look at
https://bugzilla.mozilla.org/show_bug.cgi?id=257288
http://forums.mozillazine.org/viewtopic.php?p=804224#804224

Caveat: that info is quite old -- I don't know the current
situation.

J

 

[Art]

Art,

Making FF cookie et al files RO may lead to a performance hit.
Take a look at
https://bugzilla.mozilla.org/show_bug.cgi?id=257288
http://forums.mozillazine.org/viewtopic.php?p=804224#804224

Caveat: that info is quite old -- I don't know the current
situation.

I haven't noticed any degradation of either FF or Opera after making
the cookies file RO.

Art
http://home.epix.net/~artnpeg

 

[me]

I haven't noticed any degradation of either FF or Opera
after making the cookies file RO.

Art
http://home.epix.net/~artnpeg

I do not see any degradation. However, the problem was
introduced in ver."x" (forgot the #) to which I did not upgrade.

"Little" (subjective) slowdown would be worth the benefit, IMHO.

J