Question on Cookie Security
Hi Guys,
Through my studies it has been stated that an attacker who potentially had access to steal say your hotmail cookies (as an example) from your client when you forget to logout and the cookies remain in your temp files. And then use them on another PC and when accessing hotmail you would be able to logon to this persons account. Well I tested this very theory last night in a lab but I could not seem to get the results.
I have had experience in creating basic cookies before for small websites (using PHP & HTML), but I guess my lack of experience isnt giving me the heads up on this one. How would MS have designed these cookies? Are they more complex and is it not as easy as ive said above? If I had good programming knowledge could i get the results mentioned above?
I hope someone can give me some insight
Thanks!
Through my studies it has been stated that an attacker who potentially had access to steal say your hotmail cookies (as an example) from your client when you forget to logout and the cookies remain in your temp files. And then use them on another PC and when accessing hotmail you would be able to logon to this persons account. Well I tested this very theory last night in a lab but I could not seem to get the results.
I have had experience in creating basic cookies before for small websites (using PHP & HTML), but I guess my lack of experience isnt giving me the heads up on this one. How would MS have designed these cookies? Are they more complex and is it not as easy as ive said above? If I had good programming knowledge could i get the results mentioned above?
I hope someone can give me some insight

Thanks!
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Comments
Try creating your own login utility and hacking that and finding ways to secure that. Have you used PHP to create authenticated sessions before?
Hi Dynamik,
It was a direct copy of all hotmail cookies from one exact like PC to another to see if i could compromise the account. I guess like you say there is some unique identifiers we can't see that stop this type of attack from happening.
Yes I have used PHP to create authenticated sessions before. Although this was maybe 5/6 years ago, I am sure im out of touch with security hardening in different languages right now.
Cheers,
Yeh I fully agree, there must be some kind of unique identifier created by an algorithm. Finding out what would be impossible though I guess unless I had developed it. I will try a much simpler login based cookies when I have time and try same method. See what I can come up with
Cheers,