Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Web site cookie overload?

from [Richard M. Smith] Network Security [Permanent Link]
Subject: Web site cookie overload?
Date: Mon, 17 Jan 2005 21:59:30 -0500 
Hi,

I run a cookie tosser program on my Windows laptop.  This program
periodically deletes my Internet Explorer cookies for many Web sites that I
visit.  I only keep around cookies for a few Web sites like the New York
Times and the Wall Street Journal because I do not want to have to keep
relogging into these sites.

One of the cookie tossers I run deletes most Web site cookies every few
minutes.  For Web sites which I go to often during the day like Google and
third-party ad networks, I might look like 10, 20, or 30 unique visitors.
For each visit, I am given a new cookie ID number by a Web site.  Because my
cookie tosser does not delete cookies right away, a Web site should see me
as a real visitor because Internet Explorer will send back a cookie ID
number to a Web site a few times before the cookie is tossed.

What I am wondering is what will happen at high volume Web sites if a lot of
folks started running the same cookie tosser that I am using.  Will Web
sites start breaking down because of an overload of cookies being assign to
too many unique visitors?  By a lot of people, I am thinking here a minimum
of 10 million computer users.  With a cookie tosser, these computer users
might start looking like 50 to 100 million new visitors each day on high
volume Web sites.  Will such a volume of new visitors cause problems for
some Web sites?

The cookie tosser I am running is actually built into Internet Explorer.
Microsoft does not really tell users about this feature and it has a
terrible user interface.  It requires an XML file to be created manually
which instructs Internet Explorer how to handle cookies.  One of the options
in the XML file tells Internet Explorer to convert permanent cookies to
session cookies.  I turn this option on so that Internet Explorer acts as a
cookie tosser.  I then explicitly list in the XML file all the Web sites
like the New York Times and the Wall Street Journal to prevent their cookies
from being converted to session cookies.

Here is documentation from Microsoft about this feature of Internet
Explorer:

   How to Create a Customized Privacy Import File 
   http://tinyurl.com/2ners

And here is a copy of the XML file that I use to do the cookie tossing:

   http://www.computerbytesman.com/privacy/blocker.xml

I've been running this Internet Explorer cookie tosser on and off for a year
now and it works great.  I have found that a cookie tosser is more effect
than a cookie blocker, because some Web sites require cookies to be turned
on in order to use a site.  A cookie tosser will work with these sites,
while a cookie blocker will not.

Richard M. Smith
http://www.ComputerBytesMan.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SyScAN'05 CFP, organiser@syscan.org
Next by Date:  RE: (secure email) Proposal to anti-phishing, Evans, Arian
Previous by Thread:  SyScAN'05 CFP, organiser@syscan.org
Next by Thread:  Re: Web site cookie overload?, Nick
Indexes:  [Date] [Thread] [Top] [All Lists]