could somebody decode the cookies stored...

By Snuffy09 ·
on your computer to reveal saved passwords and saved creditcard data? My paranoid friend seems to think so. I am skeptical...

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

No, that's not what cookies are for...

by robo_dev In reply to could somebody decode the ...

Cookies are used to maintain session state.

This allows the application to let you move around without having to log in for each page, or having to add items to your shopping cart over and over.

You can view and/or decode your own cookies yourself with something like the firefox 'view cookie' extension.

I've never seen a web application that used cookies to store passwords, credit card data, or anything like that.

The only very slight risk with respect to cookie theft is the threat of session hijacking.

Session hijacking would occur If somebody stole the cookie from your PC that was used for a secure web site and immediately connected to the secured web site with your cookie.

For a VERY limited time period, like a couple of minutes, that cookie could be used to fool the host application into allowing the cookie thief to hijack the user session.

BUT, to prevent that sort of risk, normally Web apps that use SSL encryption also use SSL encryption to send the cookies. If the data stream is encrypted, then intercepting cookies from the data stream is virtually impossible.

Plus, the attacker has to know what site you're connected to, be able to get to your data stream directly, etc.

Therefore session hijacking is not a very severe threat for most web application users.

The only possible scenario where this could be an issue would be for something like a kiosk PC at a mall that is shared by many users....then an attacker could be physically present to steal/use a cookie.

Related Discussions

Related Forums