UserId in cookies - Understanding dev mindset ?
Posted in Bug Help by @noobness
A website sets 2 cookies after logging in :
Almost every request is displaying response based on the SessionToken Value and changing UserId value to someone's else does NOT display his data. Removing the UserId cookie from the request has no effect as well . i.e, it doesn't sign me out.
I've seen this behaviour in a lot of websites and just trying to understand dev mindset. I have following questions regarding this :
- Where is that cookie being used exactly?
- Why do they need to set UserId as a cookie and why not as a session variable. An attacker can not manipulate session variable ,right ?