Session Cookies.

[michael_kent123]

Is it possible to change session cookies into non-session cookies using a cookie editor which modifies the expiry date from "at end of session" to a date in the future?

If, for example, someone was sniffing cookies on an unsecured wireless network, then these cookies would only work for the attacker while the genuine user was logged into his webmail or Facebook or whatever. As soon as he logs out then the cookies are voided.

I experimented with this on my network. I logged into Facebook on one machine. On another machine I sniffed. I then logged out on the first machine. I used the cookies in Wireshark and imported them into Firefox. I then edited their expiry dates and tried to login. However, I just was sent to the welcome page - because the genuine user had logged out.

So, I wonder, is there a way to use sniffed session cookies to login even if the genuine user has already logged out?

[Jason Cooper]

It depends on the methods used to verify the cookie. There are two common methods used for handling Session IDs, lets call them time based and session based.

Session based cookies produce a pseudo random id that it puts in the cookie on the browser and also stores in the database on the server (along with session details, user, expiry date, etc). When a request comes in with a cookie it looks up the associated entry in the database and if valid uses it. At the point of actively logging out it drops the entry from the table and so that session ID is no longer valid.

Time based cookies create a session id that consists of a user identifiier (e.g. username), the time issued, a pseudo random salt for variety and a hash. The has is created using those values and password/magic value that is kept private on the server. The server doesn't store any information about the session itself, instead when it receives a request with the cookie it verifies its hash is still valid and then checks the issued time in the cookie and if the cookie hasn't timed out it uses the data from that to get the users details.

If the session based method is being used then when the user logs out the server actively removes the session and any future attempts to use that session cookie will fail. The downside is that you have to keep a details of every session active, which can be a very large set of data for big systems, and search that list for every request.

The time base method cookies on the other hand will be active for certain length of time. The user logging out doesn't invalidate them it just has their browser throw the details away. The benefits of this method is that your server doesn't have to store the session details as it has everything it needs in the cookie (saving space) and that the same session cookie can be used for more than one host in the same domain, which may not share the same database. The downside is that you can't easily invalidate a individual session cookie (you can do all by changing your servers passwords used to generate/validate the cookies).

If you have the resources then, from a security point of view, session based cookies are usually a better choice than time based. Having said that there are plenty of real world exceptions where the time based is a better choice, which makes it worth knowing about both methods.

[michael_kent123]

Thanks for the in-depth response.

Another thing I don't understand is that when I login to Facebook some of the cookies are not session cookies.

For example the "datr" cookie expires two years hence.

Yet when I sniff and inject the cookies the "datr" cookie expires at the end of session.

More about "datr": http://www.rafayhackingarticles.net/2011/07/facebook-cookie-stealing-and-session.html

[digip]

some cookies are hashes of user session data tied to IP addresses as well, so sites with higher security, can invalidate them, but I don't know that is the case in your situation.

There are a number of tools out there for session and side jacking though. Just make sure to have the MITM going first, then give something like Hamster and Ferret a try.

There is a tool I saw demoed at a conference, that actually stores the cookies for offline use, so they can be replayed and reused including some session data, but depends on the way the sites handle the use of them. Expiration dates on cookies can also be changed but true "session" cookies only last until the user closes the browser and then they are no longer valid.

[michael_kent123]

There are a number of tools out there for session and side jacking

though. Just make sure to have the MITM going first, then give something

like Hamster and Ferret a try.

Just to clarify that - in this case - I am not a MITM. I am using mon0 to sniff cookies from unsecured wireless.