|laziness, impatience, and hubris|
|by hackmare (Pilgrim)|
|on Oct 21, 2002 at 15:20 UTC||Need Help??|
I think that you will find that while possible to break an encrypted cookie eventually, it is by no means a trivial task.
If I can display your cookie to you, I can send it to me. If I can get your cookie, I can login as you.
Here is my password per Petrucio's site...
I invite you to log into my account and send me a message telling me you did it.
Update by Dog and Pony: I can do better than that. I am very sorry for this intrusion, but what better way to prove my point? After all, you invited me into your account. And no, I will not tell you how I did it. Just suffice to say that encryption does not matter in this case. I'd really advice you to change your password fast. I could do it for you, but that wouldn't really help, now would it? :)
Update by hackmare: Very well done, dog_and_pony. I am clearly wrong and misinformed.
Please reply in another post rather than in mine. And no offense taken for your demonstration.
While not impossible, it is much too difficult to do for the vast majority of hackers. If it was not the case, there would be no such thing as cookies or secure web apps. I seriously doubt anyone without a crypto background can do it.
But this does not change the fact that exposing all of us to the risks of cross-site scripting is a Very Bad Thing for us and for PerlMonks's reputation if there is any problem