1

A client points out there may be a security issue with my WordPress page - what he did is to delete the cookies set by WordPress in the request header, and see if he could access the protected areas. He could. So to replicate the problem, I did a sanity test.

I have written some sample code to test the relationship between cookies and the request header in PHP:

<?php
echo '<pre>'.print_r($_COOKIE, true)."</pre>";
setcookie("test", 5);
?>

I grab the request header from Chrome:

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:test=5
Host:localhost:8888
Referer:http://localhost:8888/testcookies/
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

And using DHC by Restlet, I remove the line with the Cookie, and send it to the page with the script above. Somehow, the value of the test cookie is still set? Why, and is it a security vulnerability?

Filip
  • 3,002
  • 1
  • 26
  • 37
Extrakun
  • 19,057
  • 21
  • 82
  • 129
  • 1
    In case that's feasible for your setup trying printing the results of `getallheaders()` and `microtime()` to check whether the cookie header really has been removed and you're not seeing a cached version of the page. – VolkerK Jan 14 '14 at 10:39

1 Answers1

4

You might not be explicitly setting the cookies in the Dev HTTP Client, but Chrome will add them automatically since you are making a request to a site for which you have cookies.

This isn't a security vulnerability. It is just a consequence of using a tool built around a browser.

You might want to try constructing the HTTP request manually in a telnet client.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335