Re: Unable to impersonate another user although having its cookie

[Marc Ouwerkerk <olderchurch () gmail com>]

pUm is right. You can download the code form Cake and see for
yourself. In cake\libs\session.php you will see the following check:
if ((Configure::read('Session.checkAgent') === false ||
$this->_userAgent == $this->read('Config.userAgent')) && $this->time
<= $this->read('Config.time')) {

Hope this helps

Cheers,

Marc

On Wed, Jul 1, 2009 at 4:00 PM, pUm<hijacka () googlemail com> wrote:
> just a gues,
> but try to fake the user agent. something in the http header must be
> part of the cookie auth. so try them all and then reduce. My guess is
> that it is the user-agent
>
> 2009/7/1 Juan Kinunt <kinunt () gmail com>:
> > Hi,
> >
> > I'm auditing a web application programmed in CakePHP and I'm having a problem.
> > I'm almost sure the authentication mechanism is carried by a cookie
> > but I'm unable to impersonate another user using its cookie.
> > The probe I do is opening two sessions with two different users (one
> > in internet explorer and one in firefox). Then I copy the cookie
> > belonging to one user and substitute it in a request done by the other
> > user (using WebScarab). The app throws and error and disconnects the
> > validated and legal user.
> > I think that some info is stored in server side about the client who
> > owns each cookie.
> >
> > Is this possible? Is it the normal operation in sessions in CakePHP?
> >
> > Any info or pointer would be very useful.
> >
> > Thanks.