Rogue Cookie Interfearance

Anon

I recently received a note from a user of my PHP website saying that they came to my page and received no content. After investigating the problem, I found that another site (doubleclick.net to be specific) had set a cookie with the same name as a variable (id) that my script uses to determine which output to display. So, since the contents of this cookie were not recognized by my script, nothing was displayed.

My question is, how could this happen?? I was under the impression that cookies were linked to a specific domain, therefore cookies from another site could not interfere with my site. We deleted the cookies from her computer and it is working again for now, but if it can happen to her it can happen to anyone.

Any explinations on how this cookie was read by my PHP script would be appreciated... I know I can always tell PHP to not put cookie data into the variable, but I shouldn't have to do that. Thanks!

Jason Bauer
jbauer@mtu.edu
Michigan Tech Fund
Web Site Coordinator

[deleted]

Cookie can be set to be returned only to one domain, but they can equally simply be set to be sent to any domain.
That's why you should never use cookies with obvious names.
Simple pre-pending your site's name usually does the trick,
so your 'id' cookie would become something like 'your_site_id'

jbauer23

vincent wrote:

so your 'id' cookie would become something like 'your_site_id'

Are you sure that they can be set to any domain? I was looking into this more, and I found the Netscape Cookie Specification (http://www.netscape.com/newsref/std/cookie_spec.html) and it states the following:

"Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

The default value of domain is the host name of the server which generated the cookie response."

This would lead me to believe that in order for the doubleclick cookie to get to my server, something very odd must have happened either on my server or with the client's web browser. This might just be an isolated incedent, but I'd like to find out what happened.

Jason Bauer
jbauer@mtu.edu
Michigan Tech Fund
Web Site Coordinator