Can cookies be copied between machines to impersonate a user?

Question

We have an application that among other things, checks the existence of a cookie and reads and decrypts the contents of the cookie. Though the data stored inside the cookie is not sensitive, it has been encrypted via TripleDes encryption. A question was raised today whether the cookie saved on a single PC, could be copied on to another PC and whether the web application would detect the presence of this copied cookie on another machine, and ultimately decrypt what it would have on the original PC.

My question is this: We use the standard ASP.NET implementation to save cookies (i.e via HttpResponse), does the index.dat file prevent the transplant of a cookie from one machine to the other? What if the index.dat file was also transported and copied over, or is there some internal structure inside index.dat that ties a cookie to a specific machine?

Answer 1

Yes, stealing cookies is a common technique to steal a session from a user.

Some sites try to bind a cookie to the IP of the client, but this fails in the face of big corporate proxies with multiple out-bound interfaces or other crazy setups.

Answer 2

Absolutely. This is one way that cross-site scripting (XSS) attacks work:

1. I inject javascript into a page
2. I wait for someone to look at the page
3. The javascript I injected sends me your cookies
4. I login as you and do bad things

This particular issue bit SO during the private beta.

Answer 3

In addition to the other answers. Never trust anything coming from the user of a web app, regardless of whether it's encrypted.

This ties into the idea of validate input on both client and server. Don't trust that the validation on the client was done.

Answer 4

Even if everything else is ok, if someone can get physical access to the user's machine, they could copy the cookies to another machine.

E.g just clone the disk if needed!