Modify a Cookie's value

Question

I'm trying to set a secure session for a login interface and I'm checking if some hashed value saved on the $_COOKIE and in $_SESSION matches in both arrays. I need to change the value of the cookie via javascript to simulate an attack and check if my secure session works (if that is even possible, of course). Deleting the cookie wont work because I have a different validation for when the cookies doesnt exist.

Is it possible to modify a cookie's value via javascript and if so, how to?

See https://developer.mozilla.org/en-US/docs/Web/API/document.cookie — Barmar, Jul 30 '13 at 03:04

score 2 · Accepted Answer · edited May 23 '17 at 12:29

2

Is it possible to modify a cookie's value via javascript and if so, how to?

Yes. Provided it lives under the same domain and path, you can ready, modify, create, or destroy cookies either by JavaScript (document.cookie) or PHP ($_COOKIE and set_cookie()).

As noted, you could also manipulate cookies via the developer tools of most modern browsers.

edited May 23 '17 at 12:29

Community

1
1

answered Jul 30 '13 at 03:06

Jason McCreary

71,546
23
135
174

1

*sidenote:* requires to be in same domain path if cookie domain path is specified – Raptor Jul 30 '13 at 03:07
@Shivan Raptor, added. Thanks. For more on how domains work, check out - http://stackoverflow.com/questions/1062963/how-do-browser-cookie-domains-work – Jason McCreary Jul 30 '13 at 03:09

score 0 · Answer 2 · answered Jul 30 '13 at 03:03

0

Since cookies are actually stored within the browser, it is definitely possible :)

https://developer.mozilla.org/en-US/docs/Web/API/document.cookie

answered Jul 30 '13 at 03:03

Ken

548
6
19

it is preferred to give examples to OP. – Raptor Jul 30 '13 at 03:04
True, however at the bottom of that reference is a sufficiently thorough example. ;) – Ken Jul 30 '13 at 03:05

Modify a Cookie's value

2 Answers2