BugBountyNotes Forum » Bug Help » Browsing Topic

UserId in cookies - Understanding dev mindset ?
Posted in Bug Help by @noobness




noobness

Researcher

A website sets 2 cookies after logging in :

  1. SessionToken
  2. UserId

Almost every request is displaying response based on the SessionToken Value and changing UserId value to someone's else does NOT display his data. Removing the UserId cookie from the request has no effect as well . i.e, it doesn't sign me out.

I've seen this behaviour in a lot of websites and just trying to understand dev mindset. I have following questions regarding this :

  1. Where is that cookie being used exactly?
  2. Why do they need to set UserId as a cookie and why not as a session variable. An attacker can not manipulate session variable ,right ?

Posted on 2018-12-05