Exercise : Unsafe Cookie (by Shiny Yang)

The following page unsafe.php (source) is a mockup of a badly written user login page. The programmer implemented the login page poorly because of a misunderstanding about cookies. Without peeking at the source, figure out the following:

• What cookies does the page set? Why are they a bad idea?
• How can you find out about the cookies stored by a given page?
• Can you figure out a way to discover a user's password? The page has accounts for stepp, reges, helenem, and jessica. The password for stepp is booyah but you don't know the others...
• What does this say about the safety of cookies and what kind of information should be stored in them?

Exercise Solution

• The page sets cookies named uwnetid, password, and loggedin.
• Use Chrome's Resources tab or Firebug's Cookies tab to see the cookies. Log in as one user and then their password is visible in the cookie, which is bad.
• BUG: After logging in, you can type another user's ID and resubmit the form to see their password in the cookie.
• BUG: If you manually set the cookie uwnetid to a name such as reges and set the cookie loggedin to true (such as in Firebug Cookies tab → Cookies → Create Cookie), it will think you are logged in even if you don't know any password.
• User-sensitive or private information should not be stored in cookies!