SecologicTrain > CookieSecurity

Explanation

Scenario

You want to get access to a password protected area of a website. Usually you have to provide your credentials and if they are right you gain access.

In this case you should put yourself in the role of an attacker who has no valid credentials but wants to access the protected area.

It is your task to get access.

For testing what happens when you got valid credentials you can use the user "guest" with password "guest".

Information: To do this exercise cookies have to be enabled in your browser. In MS Internet Explorer you can enable cookies in the Menu>Tools>Internet Options in the section "Privacy". In Mozilla Firefox you can enable cookies in the Menu>Tools>Configurations.



// create an instance of the cookie 
Cookie
      cookie = new Cookie(cookieName, cookieContent); 
// set the path for
      this cookie 
cookie.setPath("/SecuTrain/pages/CS/de/"); 
// set the
      max-age for this cookie 
cookie.setMaxAge(60*60*24*365); 
// add the
      cookie to the response header 
response.addCookie(cookie);



// declare a session instance 
HttpSession
      session = null; 
// get the session from the current request
      
session = request.getSession(); 
// register the value "valu" for
      the key "login" 
session.setAttribute("login", value);