Hi..

Just wondering... When someone connects to a site and accepts cookies to navigate or post, what's visible in the cookie/by the site?

Is the username that's used on the originating computer visible in the cookie, or is it a site-generated username?

For example, if simon and jack are two users on a xp machine, and jack connects to a website, accepts cookies, is the cookie something like number.jack@wilders.com ?

-{ Quote: "Hi..

Just wondering... When someone connects to a site and accepts cookies to navigate or post, what's visible in the cookie/by the site?

Is the username that's used on the originating computer visible in the cookie, or is it a site-generated username?

For example, if simon and jack are two users on a xp machine, and jack connects to a website, accepts cookies, is the cookie something like number.jack@wilders.com ?" }-It depends. Badly programmed sites sometimes have usernames in cookies (in some particularly bad instances, even more info, even passwords... ::)); it all depends on who programmed the sites and how he decided to implement that part. If the web site relies ONLY on something like the username to recognize a user (or if it uses only something like a sequential user "ID" number), then its mechanism is completely broken, as cookies can be changed (they are on the client) and all it would take to log as someone else is knowing his/her username or guessing his/her ID. Good programmed sites should identify the user with something not easy to guess and totally unrelated to any of the user information, for instance with a good and long random string (and it's not as easy as it sounds).

-{ Quote: "**snip** Good programmed sites should identify the user with something not easy to guess and totally unrelated to any of the user information, for instance with a good and long random string (and it's not as easy as it sounds)." }-

yes, eg: Here is part from a cookie of mine from this site ~ Wilders:

[deliberately changed numbers/letters just to indicate what it looks like]

bbuserid
000
wilderssecurity.com/
1111
111111111111
11111111
11111111111
1111111111
*
bbpassword
111x11x111dd4xxx111xxx111xxx1ax1 [this being a l-o-n-g string of alpha/numeric characters ~ good ;) ]
wilderssecurity.com/
1111
111111111111
11111111
11111111111
1111111111

TAS

-{ Quote: "For example, if simon and jack are two users on a xp machine, and jack connects to a website, accepts cookies, is the cookie something like number.jack@wilders.com ?" }-The username of a cookie is whomever is logged in. For instance if the XP account jack is logged in the cookie file name will be jack@whatever domain. The exception would be a non-logged on user of Win9X....in which case the cookie file name will be anyuser@whatever domain.

-{ Quote: "The username of a cookie is whomever is logged in. For instance if the XP account jack is logged in the cookie file name will be jack@whatever domain. The exception would be a non-logged on user of Win9X....in which case the cookie file name will be anyuser@whatever domain." }-Well, that's the file name of the cookie in Internet Explorer, other browsers behave utterly differently (usually not even creating a file for each server but putting them all in one text file). I'm not sure the question was related to the file name of the cookie instead of its contents.