How to tamper cookie.

Question

Dear All, I just wanted to know how to tamper cookie(just for knowledge purpose :-)).I have created one application and tried to tamper the cookie but its not working. Code:

protected void Button1_Click(object sender, EventArgs e) { if (Request.Cookies["myCookie"] != null) { Response.Redirect("Default2.aspx");

    }
    else
    {

        HttpCookie storeData = new HttpCookie("myCookie");
        storeData["name"] = "Arin";
        storeData["color"] = "Blue";
        storeData.Expires = DateTime.Now.AddDays(1);
        Response.Cookies.Add(storeData);
        Response.Redirect("Default2.aspx");
    }
}

Code(Default2.aspx): protected void Page_Load(object sender, EventArgs e) {

    HttpCookie storeData = Request.Cookies["myCookie"];
    string myString= storeData["name"];
    TextBox1.Text = myString;
}

Saved Cookie Contents: myCookie name=Arin&color=Blue localhost/ 1024 1178851840 29993085 467738336 29992884 *

When I run the code its crateing the cookie,also next time its checking if the cookie exists,if yes then its redirecting to default2.aspx page and i am getting name in the text box. But when I am tampering the cookie Lets say when I am changing Arin to Arinzzz, its not getting reflected,the Application is considering no cookie name "myCookie " exsists and is crateing a new cookie and thus I am not getting Arinzzz in Default2.aspx,am I missing Something.Thanks in advance for ur help.

Answer 1

If you just want to play with cookies, use the "Add N Edit Cookies" plug-in on Firefox.

Answer 2

do you actually end up with 2 cookies saved to your hard drive? if so, you should be able to compare the 2 and see what is different.

Answer 3

Set a breakpoint on both ends and see what's going on, and also let us know HOW you're tampering the cookie. I wrote a simple example doing just as you said, tampered the cookie with the Web Developer plugin in Firefox (View Cookies -> Edit Cookie), and then reloaded the page, and the tampered data was displayed.

This question sounds like it would be better answered by debugging more. I'm guessing that you're using a tool/method to tamper the cookie that is invalidating it, or you have some program logic that is recreating the cookie when you are not expecting it to.

Also, you can see the contents of the cookie being sent in both directions (request and response) with another firefox plugin called Live HTTP Headers to see if there's an issue with it not being sent back to the server. This plugin will show you all headers being sent with requests and responses, including all cookies.

Web Developer plugin

Live HTTP Headers plugin