pUm is right. You can download the code form Cake and see for
yourself. In cake\libs\session.php you will see the following check:
if ((Configure::read('Session.checkAgent') === false ||
$this->_userAgent == $this->read('Config.userAgent')) && $this->time
<= $this->read('Config.time')) {

Hope this helps

Cheers,

Marc

On Wed, Jul 1, 2009 at 4:00 PM, pUm<hijacka (at) googlemail (dot) com [email concealed]> wrote:
> just a gues,
> but try to fake the user agent. something in the http header must be
> part of the cookie auth. so try them all and then reduce. My guess is
> that it is the user-agent
>
> 2009/7/1 Juan Kinunt <kinunt (at) gmail (dot) com [email concealed]>:
>> Hi,
>>
>> I'm auditing a web application programmed in CakePHP and I'm having a problem.
>> I'm almost sure the authentication mechanism is carried by a cookie
>> but I'm unable to impersonate another user using its cookie.
>> The probe I do is opening two sessions with two different users (one
>> in internet explorer and one in firefox). Then I copy the cookie
>> belonging to one user and substitute it in a request done by the other
>> user (using WebScarab). The app throws and error and disconnects the
>> validated and legal user.
>> I think that some info is stored in server side about the client who
>> owns each cookie.
>>
>> Is this possible? Is it the normal operation in sessions in CakePHP?
>>
>> Any info or pointer would be very useful.
>>
>> Thanks.
>>
>>
>>
>
>
>

[ reply ]