[Previous] [Next] [Index]
[Thread]
cookie overloading (denial of service)
Having seen a pages out there issuing 40 or more cookies, I began
wondering how easy it would be to overload a browser with cookies
(and force it to delete other cookies).
Some experimentation indicates that it's possible to do that.
But I'd sure appreciate it if someone else on this list could
independently verify this.
Background: a host with a 3rd-level domain name can set 40 cookies:
www.domain.com 20 cookies with different names
.domain.com 20 cookies with different names
--
40 cookies total
...and a host with a 4th-level domain name can set 80:
www.subdomain.domain.com 20
.subdomain.domain.com 20
subdomain.domain.com 20
.domain.com 20
Similarly, a host with a 5th-level domain name can set 120 cookies.
Suppose you browse a page from my (contrived) server, called
www.services.east.company.com which contains the following:
an image from www.graphics.east.company.com
a 2nd image from www.showme.foographics.com
and a page counter (also an image...) from www.fooaudit.com
(Which could all be pseudo domains, all on the same server). The combined
number of cookies which could be set would be as follows:
www.services.east.company.com 20
.services.east.company.com 20
services.east.company.com 20
.east.company.com 20
east.company.com 20
.company.com 20
www.graphics.east.company.com 20
.graphics.east.company.com 20
graphics.east.company.com 20
www.showme.foographics.com 20
.showme.foographics.com 20
showme.foographics.com 20
.foographics.com 20
www.fooaudit.com 20
.fooaudit.com 20
---
300 cookies
With your browser limited to holding 300 cookies, I've pretty much
forced your browser to discard most or all of the previous cookies
in favor of mine.
Follow-Ups: