[WEB SECURITY] Additional cookies in client requests

Achim Hoffmann webappsec at securenet.de
Fri Jun 25 17:18:41 EDT 2010


On Fri, 25 Jun 2010, Colin Watson wrote:

!! Hi
!! 
!! Does anyone have any advice or suggestions on what servers should do when they see additional cookies, not set or required by the application, in requests from clients.  If these were unwanted or duplicated URL or body arguments, we would take note.

Hi Colin,

unless the server serves exactly one application and there are no other 
applications in the same domain - like a.some.tld/appA and b.some.domain/appB -
the server have to ignore all unknown cookies and leave them as is.

Trying to delete them may break the other applications.

Achim


!! 
!! Examples:
!! 
!! Cookies = __qca=P0-528307545-1256116331708; SPcookie=1; CP=null*; mbox=session#1255871822667-436829#1255873771|PC#1253524687974-914132.15#1258463911|check#true#1255871971; s_vsn_diggcomsyndication_1=5125274231321; s_vnum=1256304560039%26vn%3D4 
!! 
!! Cookies = alpha=054f32d085440000b4568d4aaf180b00142b0000 
!! 
!! Cookies = XTCsid=f84b10f0570a9358dce964bf88a41bde, CFID=411554, CFTOKEN=b733d130f4d90992-35B1703B-001A-049D-FD4ABD6E192DDE85, alpha=474f32d08855000081c18c4af6c90d00cef10000
!! 
!! Cookies = __mmsid=a2ec06a74778be7410b66713a973fa49, __mmuid=871ba1698381d97450848d457cd43a17, __mmtrk=1|0|||14|0d63875714a98667813d733dec2cb81f, alpha=274f32d09923000041a2854abc640200f06a0000
!! 
!! Should we:
!! 
!! - ignore them
!! - try to delete them
!! - something else?
!! 
!! If they are some attempt at session fixation (a valid session cookie name for the application), then we need to watch out for that, but some requests come laden with all sorts of other cookie baggage.  What are the risks to the server and clients?
!! 
!! Thanks
!! 
!! Colin Watson
!! 
!! ----------------------------------------------------------------------------
!! Join us on IRC: irc.freenode.net #webappsec
!! 
!! Have a question? Search The Web Security Mailing List Archives:
!! http://www.webappsec.org/lists/websecurity/archive/
!! 
!! Subscribe via RSS:
!! http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
!! 
!! To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to
!! the confirmation email
!! 
!! Join WASC on LinkedIn
!! http://www.linkedin.com/e/gis/83336/4B20E4374DBA
!! 
!! WASC on Twitter
!! http://twitter.com/wascupdates
!! 
!! 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates



More information about the websecurity mailing list