oops.png
BugBountyNotes Forum » Bug Help » Browsing Topic

UserId in cookies - Understanding dev mindset ?
Posted in Bug Help by @noobness




noobness

Researcher

A website sets 2 cookies after logging in :

  1. SessionToken
  2. UserId

Almost every request is displaying response based on the SessionToken Value and changing UserId value to someone's else does NOT display his data. Removing the UserId cookie from the request has no effect as well . i.e, it doesn't sign me out.

I've seen this behaviour in a lot of websites and just trying to understand dev mindset. I have following questions regarding this :

  1. Where is that cookie being used exactly?
  2. Why do they need to set UserId as a cookie and why not as a session variable. An attacker can not manipulate session variable ,right ?

Posted on 2018-12-05



thejohn

Researcher

hi I think the developer might used userId in a specific part of the applications logic that you might not invoked that part yet. for example it might be used on sign out logic!


Posted on 2018-12-25 at 08:54:06am (GMT)