What is Netscape HTTP Cookie File for and how?

Asked

Viewed 620 times

0

I need to save cookies of some accounts that authenticate my APP on Twitter, searched the web and found something like:?

# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_.twitter.com  TRUE    /   TRUE    0   _twitter_sess   BAh7DCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCE5GrqRcAToMY3NyZl9p%250AZCIlNDAyMmVkNWY3ZmNiYzdmNGIwZjM5NTZhOTM4ODU1MmM6B2lkIiU1YWJm%250AMWEzYmUxZWM3MmUwYzgzZjZlNzE1MTYwOWU5MjofbG9naW5fdmVyaWZpY2F0%250AaW9uX3VzZXJfaWRsKwdWcHFVOiJsb2dpbl92ZXJpZmljYXRpb25fcmVxdWVz%250AdF9pZCIlSDUyNDduWjdMZThhVVZkY21mWEw1YVVlT0ZaUnNYTHI6CXVzZXJs%250AKwdWcHFV--5148e6c684aadb571a79e48480b6c65398770db9
.twitter.com    TRUE    /   TRUE    1497433103  ct0 b59149399feb3cb9bf073a4f6c8ac99f
.twitter.com    TRUE    /   FALSE   1560483503  guest_id    v1%3A149741150369212010
.twitter.com    TRUE    /   FALSE   1812771541  ads_prefs   "HBERAAA="
#HttpOnly_.twitter.com  TRUE    /   TRUE    1544672341  kdt eyYcfbtxCwHOWoJ2f2cqPC7CozDRWdoddbgMIWnM
.twitter.com    TRUE    /   FALSE   1812771541  remember_checked_on 0
.twitter.com    TRUE    /   TRUE    0   twid    "u=1433497686"
#HttpOnly_.twitter.com  TRUE    /   TRUE    0   auth_token  4faa69fd29e85734f2db445239d0e0d81a6d7afc
twitter.com FALSE   /   FALSE   0   lang    pt

This I found in this domain: http://twitterlike.com.br/api/cookie/

I’d like to know how to do it and what it’s for Netscape HTTP Cookie File.

  • 2

    This is a cookie format, usually this is the result of cookie-jar, Curl, which saves in this format. However, in this situation this is an extremely high vulnerability of the site, apparently. Because these files are cookies to access the twitter accounts, basically with them you can access the 10702 accounts if they are valid. The _twitter_sess and the auth_token is who authorizes access, whether you automatically or manually set these cookies for the respective values (Bah7D... and 4faa69...) you will be able to access this person’s twitter.

  • Ta I need to do exactly the same without malicious intentions, you know a way? to do this?

1 answer

1


This is a cookie storage format and in this case it was done using the Curl as mentioned in the comments This file was generated by libcurl! Edit at your own risk..


What good is he?

As a way to store cookies. All essential information, from which domain, which cookie name, which cookie value, contains the flag insurance, if you count flag of Httponly... In this situation there is a page that uses Twitter login/password, you send a request to login and then stores cookies, so that in future requests you use these cookies.

Cookies are for various purposes, far beyond login/password. If you know what cookies are and what they are used for and how they work, then you know the reason to store them.

How I file such a file?

This is in the Curl documentation, use:

curl -c /caminho/arquivo.txt https://site.com

This will save cookies from https://site.com in the specified path, to use cookies use the -b. More information see in the documentation.

In the case of PHP use:

$curl = curl_init('https://seusite.com');
curl_setopt($curl, CURLOPT_COOKIEJAR, 'caminho/arquivo.txt');
//...

curl_exec($curl);

This will cause you to save cookies in the specified file. Then, for a future request use these cookies CURLOPT_COOKIEFILE instead of COOKIEJAR.

The CURLOPT_COOKIEFILE will read the file and send them in the header of Cookie:, it supports the old Netscape/Mozilla formats and also a file containing the Set-Cookies:.

You have several and several other, including more efficient, ways to get/store cookies from the page, one of the other ways is to simply get the information directly from the header, from Set-Cookie:.

  • 2

    All right, I liked the answer, well prepared, congratulations, but another question, I’m using Abraham/twitteroauth, I do not use this form of user enter user and password, but click on the button to authenticate, save the access token in a table, works the same way?

  • 2

    No. Cookies will only be obtained if you request using login/password. For this just enter the Twitter page see what is the URL called (ie F12 > Network) and request using Curl, it is able to send the information equal to the browser. The official Twitter API does not use cookies, because getting other people’s login/password is not safe, so there is Oauth, officially made available by Twitter.

  • 2

    I get it, so I’m gonna have to resort to login/password and save money to get out of jail after.

  • 2

    but the page you say is login, or already logged in ?

  • could answer?

  • 3

    Well, if you want to get cookies you will have no way to access a logged in page without having cookies. So what you need is to make the login request, to https://twitter.com/sessions in this case, it is he who receives the login data. If the login/password combination is right Twitter will return the cookies associated with the account, which will allow you to access the Twitter profile, you must store them. Storing will allow you to make the other requests as if you were connected in this user. The whole process in this case should be done using Curl or other equivalent software.

  • 1

    obg, with these comments and answers I think I can do what I want...

Show 2 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.