Does copying cookies allow attackers to view pages that should be visible only after login?

  • TLDR;

    Copying the request from ChromeDevTools along with all cookies allows me to view pages that I should not be able to view after logging in.

    Have I been pwned ?

    I just found a terrifyingly easy way to view pages that should be visible to someone only if they are logged in.

    Let's say I hit the URL

    If I am not logged in then I should be redirected to the login page right ? That is if the login cookie is not set then it will be assumed I am not authenticated and then send back to the login page.

    Only after logging in can the contents of profile.html be show to me.

    Right ?


    Let's say I have logged in.

    In ChromeDevTools in the Network Tab I can select any request and copy it as curl, with all cookies.

    I tried out that curl command in Bash, I saw that the page that was suppose to be loaded only after logging in, worked fine.

    Is this how its suppose to work ?

    Many sites like, sometimes have a pop-up that takes me to Now I keep my Google signed in in Chrome.

    Does it mean I have been pwned ?

    Or am I completely missing something obvious here ?

  • For most websites, cookies are used to persist login information once the user has logged in. This prevents the user from needing to log in for every page they want to visit, and it's normal and expected that anyone who has access to that set of cookies will have normal access to that account for the lifetime of the session.

    The fact that cookies are usually used to grant such access has led to several security measures to restrict their scope, such as restricting them to be able be accessed only for HTTP(S) requests or restricting them to secure contexts only (which usually means HTTPS only).

    As nobody mentioned in the comments, the copy as curl copies all the cookies, which means that the curl requests will generally act the same way and with the same privileges as your logged in Chrome session. You are, effectively, logged in.

    Cookies are generally persisted securely in the web browser, although some sites may wish to take measures against cookie theft, such as limiting cookie lifetimes, refreshing cookies frequently, or requiring confirmation of access (such as a password) before performing especially sensitive operations.

    So this is normal and expected, although you have noted correctly that having the cookies for a site does grant you full access, which generally requires taking prudent security measures to prevent their compromise.

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2