Re: Unable to impersonate another user although having its cookie

[jay.tomas () infosecguru com]

If I understand the issue correctly you login successfully and get a  
cookie. You then try and login a second time with another browser  
trying to impersonate the first authenticated user. However, the first  
session then gets logged out. To me this would be expected if the app  
is designed correctly. I would think you would only want 1 valid login  
at a time, and if another one is used it would invalidate the other.

-Jay


Quoting pUm <hijacka () googlemail com>:

> just a gues,
> but try to fake the user agent. something in the http header must be
> part of the cookie auth. so try them all and then reduce. My guess is
> that it is the user-agent
>
> 2009/7/1 Juan Kinunt <kinunt () gmail com>:
> > Hi,
> >
> > I'm auditing a web application programmed in CakePHP and I'm having  
> >  a problem.
> > I'm almost sure the authentication mechanism is carried by a cookie
> > but I'm unable to impersonate another user using its cookie.
> > The probe I do is opening two sessions with two different users (one
> > in internet explorer and one in firefox). Then I copy the cookie
> > belonging to one user and substitute it in a request done by the other
> > user (using WebScarab). The app throws and error and disconnects the
> > validated and legal user.
> > I think that some info is stored in server side about the client who
> > owns each cookie.
> >
> > Is this possible? Is it the normal operation in sessions in CakePHP?
> >
> > Any info or pointer would be very useful.
> >
> > Thanks.



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.