Can you steal the Token?


(Manthan Mallikarjun) #1

Hey!

Just wondering, if someone is able to convince another person to go into chrome inspector and send them the text of the cookie _t:

would the person be able to login and steal the account?

Thanks.


(Jeff Atwood) #2

Yes, that will work on any website, too. Your cookie determines who you are. The cookie token can be cycled every (n) minutes so the window may be small depending on the website.

Gmail will often warn if it sees you logging in suddenly from a very different IP.


(Manthan Mallikarjun) #3

For most sites the cookies are usually encrypted. Rails has something like this to prevent it: cookies.signed[:user_id] = current_user.id. I understand for ember, you have to leave the token in plain-text. Dont you think its a bit unsafe?


(Jeff Atwood) #4

I don’t think you understand the mechanics. If you hold the cookie you are that user. It has nothing to do with the contents of the cookie. See

http://blog.codinghorror.com/breaking-the-webs-cookie-jar/