Re: IE cookies assigned to RAM disk survive reboot

[ian.cowan () perstorp com]

Try using the MOVE FOLDER button in IE SETTINGS (general tab) and point it
to your RAMDRIVE - this way the registry will be changed for you...boot to
dos, delete the temp internet folder completely (use deltree)...cold boot
your pc and then do some surfing, your cookies should then only reside in
the place you want..

Also set cookies to automatic in above and set disk space as low as
possible (usually 1Mb)

Hope this helps.
Ian





"Thomas C. Greene" <tcgreene () bellatlantic net> on 18/11/2001 11:35:34

To:   "Bugtraq" <bugtraq () securityfocus com>, <focus-ms () securityfocus com>
cc:

Subject:  IE cookies assigned to RAM disk survive reboot



I was playing with a Windows box running '98-SE, using a RAM disk for my
temp & tmp dirs and browser cache for added security. I was quite surprised
to find that my RAM drive 'remembered' all of my cookies between reboots,
in
spite of having gone into the registry to ensure, to the best of my
ability,
that the RAM disk would be my default cookie directory.

Something's wrong. If you set your history option to zero days, nothing
will
be recorded. Fine, and that's an essential for security. But I can't
prevent
cookies from surviving boot to boot, and I've done more than just assign
Temporary Internet Files to my RAM disk in IE setup.

First, here's my autoexec.bat:
@ECHO OFF
XMSDSK 86352 G: /C1 /T /Y
MD G:TEMP
SET TMP=G:TEMP
SET TEMP=G:TEMP

And my swap file setup:
PagingDrive=G:
MinPagingFileSize=65536
MaxPagingFileSize=65536

I have IE set with the RAM disk [G:\] as my 'Temporary Internet Files'
directory. But of course, there's a 'Cookies' subdirectory in the Windows
directory, which retains them and which has to be dealt with.

You'll find in the registry a key called Paths:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths

Which, in spite of your IE setup, will include a value indicating that the
cookie directory should be C:\Windows\Cookies.

So of course I changed it to G:\Temporary Internet Files\Cookies.

There is also a key called Special Paths:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Special Paths\Cookies

With the Default Directory C:\Windows\Cookies

Which, again, I changed to G:\Temporary Internet Files\Cookies.

There is another key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ProfileReconcili

ation\Cookies

With the value: DefaultDir *windir\Cookies

So changed DefaultDir to G:\Temporary Internet Files\Cookies as well.

I deleted all cookies from C:\Windows\Cookies and G:\Temporary Internet
Files\Cookies. I then booted into DOS and ran: del
C:\Windows\Cookies\Index.dat.

And then I started Windows and did some surfing. Then I rebooted. And when
Windows started I found all the cookies from that surf session in the
C:\Windows\Cookies directory *and* in the G:\Temporary Internet
Files\Cookies RAM drive directory.

I don't know how Windows is preserving these cookies. Any thoughts?

================
Thomas C. Greene
Washington Bureau Chief
"The Register"
mailto:thomas.greene () theregister co uk
http://www.theregister.co.uk