32
phiter
3y

Not me but my friend was so fucking worried when I shown him a security breach website he made for his company.

So that's how it went: We were talking about programming and stuff and we came to authentication logic. We were both still at college and both noob programmers.
He told me he didn't use sessions because they suck server memory and he found this neat thing called "cookies". He explained them to me and I was like "holy fuck"... I asked him to show me the website and login to any account.
I opened chrome devtools and took a. look at the stored cookies. There was only one: userId, stored as a plain number straight from db primary key.

You guys should see his face when I changed the cookie values and was, all of sudden, using his website as a. completely different user.
I explained some stuff to him like database stored sessions or encrypted cookies and he told me he'd fix that shit up first thing in the next day.

Comments
Add Comment