Can user change the value of cookie?

scoppc

Just out of curiosity, can the cookie value be changed? I mean, by opening from temporary internet files folder and then change the value.

Is that possible?

Anon

Cokkies can be changed.
passwords never stored in cookies.
Other details
no problem. Even if they change

security should be taken care that sessions match cookie values..

Sincerely
saikumar

scoppc

So, are you saying that the following things may happen:

Username and status are stored in cookie file.
Script uses user's status stored in cookie to determine the area within the website that can be accessed.
If status=="admin" then everything is enabled (edit, add, delete, everything!)
A user open and change his status from "member" to "admin". Save the cookie file and run the script.
He is the admin!

Is that true??????

Anon

You can see for yourself

just set a cookie to whatever

click start->find->type "cookies"

should find a folder called cookies

open the most recent one and there is your data

Anon

Yes. In most modern browsers, cookies can be encrypted so they can't be changed easily, but many people who wanted to could get around it. Don't rely on form or cookie data to protect your site. When you get the value of a hidden input or cookie, imagine that there was a checkbox or text input box instead. Would your site be safe then? For your site, when an admin-only command is to be performed, check the user name to see if it has admin privlages.