Can cookies be copied between machines to impersonate a user?

Yes, stealing cookies is a common technique to steal a session from a user.

Some sites try to bind a cookie to the IP of the client, but this fails in the face of big corporate proxies with multiple out-bound interfaces or other non-residental setups.


Absolutely. This is one way that cross-site scripting (XSS) attacks work:

  1. I inject javascript into a page
  2. I wait for someone to look at the page
  3. The javascript I injected sends me your cookies
  4. I login as you and do bad things

This particular issue bit SO during the private beta.

Tags:

Asp.Net

Security

Cookies

Xss

Index.Dat

Recent Posts