hidden cookies?

Tim Jones tjones at mail.wesleyan.edu
Tue Dec 4 10:36:29 PST 2001 

I'm taking a class at Wesleyan University in the US called "Cryptography 
and Network Security". Wesleyan students can currently access their email 
via v2.2.5 of Horde IMP. As part of my final project, I'm attempting to 
write an exploit of the cross-site scripting vulnerability that Joao Pedro 
Goncalves noted on this mailing list last month.

In exploring Horde's session-authentication scheme, I've been unable to 
figure out where Horde stores its session ID cookie on the client's 
computer. For instance, when I log in to access my email, my browser will 
alert me that my mail server is sending me a cookie called "HordeSession"; 
but afterwards, I can find no cookie of that name on my hard drive. (ie, in 
Netscape's "cookies.txt" or MSIE's "/windows/cookies/") Can anyone explain 
to me how my computer is then able to authenticate itself to the Horde 
server without appearing to store the HordeSession cookie?

I'm making every effort to insure that these experiments are being 
conducted legitimately: I've notified Wesleyan's sysadmin and 
computer-science department and am accessing only my personal email account 
and those of friends I've consulted with beforehand.

Any words of wisdom would be appreciated! Many thanks in advance,
=Timmy Jones=



>From chuck at horde.org Date: Tue,  4 Dec 2001 13:44:47 -0500
Return-Path: <chuck at horde.org>
Mailing-List: contact horde-help at lists.horde.org; run by ezmlm
Delivered-To: mailing list horde at lists.horde.org
Received: (qmail 6885 invoked from network); 4 Dec 2001 18:45:25 -0000
Received: from h00104bc60b3c.ne.mediaone.net (HELO marina.horde.org) (24.91.196.127)
  by clark.horde.org with SMTP; 4 Dec 2001 18:45:25 -0000
Received: by marina.horde.org (Postfix, from userid 33)
	id 3A64E39EB; Tue,  4 Dec 2001 13:44:47 -0500 (EST)
Received: from 192.168.0.115 ( [192.168.0.115])
	as user chuck at localhost by marina.horde.org with HTTP;
	Tue,  4 Dec 2001 13:44:47 -0500
Message-ID: <1007491487.3c0d199f1498a at marina.horde.org>
Date: Tue,  4 Dec 2001 13:44:47 -0500
From: Chuck Hagenbuch <chuck at horde.org>
To: horde at lists.horde.org
References: <4.2.0.58.20011204124454.00b33b40 at 127.0.0.1>
In-Reply-To: <4.2.0.58.20011204124454.00b33b40 at 127.0.0.1>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 4.0-cvs
Subject: Re: [horde] hidden cookies?

Quoting Tim Jones <tjones at mail.wesleyan.edu>:

> In exploring Horde's session-authentication scheme, I've been unable to 
> figure out where Horde stores its session ID cookie on the client's 
> computer. For instance, when I log in to access my email, my browser will 
> alert me that my mail server is sending me a cookie called "HordeSession"; 
> but afterwards, I can find no cookie of that name on my hard drive. (ie, in
> Netscape's "cookies.txt" or MSIE's "/windows/cookies/") Can anyone explain 
> to me how my computer is then able to authenticate itself to the Horde 
> server without appearing to store the HordeSession cookie?

Session cookies are never written to disk.

-chuck

--
Charles Hagenbuch, <chuck at horde.org>
"What was and what may be, lie, like children whose faces we cannot see, in the
arms of silence. All we ever have is here, now." - Ursula K. Le Guin

More information about the horde mailing list