[icq-devel] Authorization cookie



Robin Fisher robin at phase3solutions.com
Tue Dec 18 11:11:55 CET 2001


Hey,

I'm 99.99% sure the cookie is just a length of random data, that the server 
uses to make sure the client that got authorised is the one that connects 
to the secondary server.

I've done some tests with a person ICQ server I wrote, and if u send a 
cookie to the ICQ client of only 1 byte, or more then 256 bytes, it just 
passes it on like nomal.

As to storing data in it, why bother, it'd be too much effort to encode it 
as well as to make it seem random, and the data can be securely passed 
directly from the auth server to the regular server much more easily..

In that regard, the size of 256 bytes would only be an amount that AOL 
chose to make doubles in the cookies to be so rare as to not be a security 
risk..

Robin

At 07:29 PM 17/12/2001 -0800, you wrote:
>Those don't sound like valid cookies, then.  It's not even possible to have
>a 1-byte cookie, because too much vital information would be missing then
>that the server needs to use.
>
>
>Gambit
>
>----- Original Message -----
>From: "Alexandr V. Shutko" <AVShutko at mail.khstu.ru>
>To: "Massimo Melina" <icq-devel at blipp.com>
>Sent: Monday, December 17, 2001 7:20 PM
>Subject: [icq-devel] Authorization cookie
>
>
> > I found that client accepts auth cookie with sizes from 1 byte to
> > 1024... :) Do you have any ideas how the AOL server produce it ?
> > I'm newbie with V7 proto... Have you ever seen packets with
> > cookie_len != 256 ?
>
>
>-------------------------------------------------
>icq-devel - The forum for ICQ protocol discussion
>For unsubscribe and other mailing list info, see:
>http://www.d.kth.se/~d95-mih/icq/icq-devel/

------------------------------------------------------------
If vegetarians eat vegetables, what do humanitarians eat?
------------------------------------------------------------




More information about the icq-devel mailing list