Circumventing Password Authentication

Description of the Problem

Many sites initially require a username and password to authenticate the user. However, in the future, the cookie is the only token needed. Often these cookies are easily forged or guessed by an interrogative adversary.


New England Bride ( uses a cookie called ID to verify its users. The value of the cookie is the user's id (in plaintext). Create an ID cookie with your ex-girlfriend's username as the value, set your URL to , and you have instant access to her name, address, phone number, e-mail address, wedding date and place, and password -- interesting how many of these bear a startling resemblance to the groom's name -- that's right, it comes up on the screen in the clear. In addition, if she's using the services provided, you can have access to (and alter) her guest list and the list of support services (caterers, etc.) she's using.


Use authenticators which are not easily predictable or guessable.

List of Sites who have suffered this problem

[Home]   [Publications]   [Cookie encyclopedia]   [Mailing list]   [FAQ]   [Contact us]

[Blue Ribbon Campaign icon]
Join the Blue Ribbon Online Free Speech Campaign!