[icq-devel] Authorization cookie



Dan Ackerman baldrick at dilbert.netset.com
Tue Dec 18 14:03:20 CET 2001


On Tue, 18 Dec 2001, Robin Fisher wrote:

> Hey,
>
> I'm 99.99% sure the cookie is just a length of random data, that the server
> uses to make sure the client that got authorised is the one that connects
> to the secondary server.
>
> I've done some tests with a person ICQ server I wrote, and if u send a
> cookie to the ICQ client of only 1 byte, or more then 256 bytes, it just
> passes it on like nomal.
>
> As to storing data in it, why bother, it'd be too much effort to encode it
> as well as to make it seem random, and the data can be securely passed
> directly from the auth server to the regular server much more easily..
>
> In that regard, the size of 256 bytes would only be an amount that AOL
> chose to make doubles in the cookies to be so rare as to not be a security
> risk..
>
> Robin

	I haven't played much with v7 yet.  I'm busy on another project.
However it would seem strange to me if it were completely worthless data.
As to whether it's data that we need to worry about is a seperate
connection.  But encoding of the IP address into a cookie for tracking
data is a fairly common practice since the introduction of transparent
proxies like squid.

Dan Ackerman





More information about the icq-devel mailing list