During normal operation, cookies are sent back and forth between a server (or a group of servers in the same domain) and the computer of the browsing user. Since cookies may contain sensitive information (user name, a token used for authentication, etc.), their values should not be accessible to other computers. Cookies theft is any process allowing an unauthorised party to receive a cookie.
A first way cookies can be stolen is via packet sniffing. Traffic on a network can be read by computers on the network other than its sender and its receiver. This traffic includes cookies sent on ordinary HTTP sessions. Users on these computers can read the traffic on the network, including the cookies, using programs called packet sniffers. This problem can be overcome by using the https URI scheme, which invokes Transport Layer Security to encrypt the connection. A server can specify the secure flag while setting a cookie; the browser will then send it only over a secure channel, such as an SSL connection.
A different way to steal cookies is cross-site scripting, which makes the browser itself send cookies to servers that should not receive them. Modern browsers allow execution of pieces of code retrieved from the server. If cookies are accessible during execution, their value may be communicated in some form to servers that should not access them. Encrypting cookies before sending them on the network does not help against this attack.[12]
This possibility is typically exploited by attackers on sites that allow users to post HTMLHttpOnly flag;[13] this is a Microsoft option that makes a cookie inaccessible to client side script. content. By embedding a suitable piece of code in an HTML post, an attacker may receive cookies of other users. Knowledge of these cookies can then be exploited by connecting to the same site using the stolen cookies, thus being recognised as the user whose cookies have been stolen. A way for preventing such attacks is by the
from wikipedia
5 comments:
It seems there's a bit of confusion about HTTPS. With HTTPS the communication is going on a secure channel. This means that to access the traffic you either have to perform a successful man-in-the-middle attack which requires forging the servers certificate or you will have to crack the encryption. Both of these are practically impossible.
Please stop spreading mis-information on topics you have no knowledge of.
Jacob
nothing is impossible...
critcism is , ofcorse, always desired
but if you (jacob) have information that can delete the mis-information then it would to be the advantage of all if you would share it
if knowledge is power then would you care to empower us?
[url=http://www.doudounepaschercs.org/]doudoune[/url] zrjie [url=http://www.monclercool.net/]http://www.monclercool.net/[/url] qkqmr [url=http://www.doudounepaschercs.org/]doudoune homme[/url] ziweo [url=http://www.chaussuresuggpass.org/]http://www.chaussuresuggpass.org/[/url] yjtsh [url=http://www.chaussuresuggpass.org/]ugg pas cher[/url] ecfmg
[url=http://www.christianlouboutinuken.co.uk/]christian louboutin[/url] wvvup [url=http://www.ralphlaurenhomeen.co.uk/]ralph lauren uk[/url] ztoht [url=http://www.thomassabobraceleten.co.uk/]thomas sabo[/url] pvlpv [url=http://www.thomassabobraceleten.co.uk/]http://www.thomassabobraceleten.co.uk/[/url] qgijx
Post a Comment