Example - 1

The following code excerpt reads a value from a browser cookie to determine the role of the user.

userRole = c.getValue();Cookie c = cookies[i];if (c.getName().equals("role")) {}Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {}

Example - 2

The following code could be for a medical records application. It performs authentication by checking if a cookie has been set.

// save the cookie to send out in future responsessetcookie("authenticated", "1", time()+60*60*2);

ShowLoginScreen();die("\n");if (AuthenticateUser($_POST['user'], $_POST['password']) == "success") {}else {}
$auth = $_COOKIES['authenticated'];if (! $auth) {}DisplayMedicalHistory($_POST['patient_ID']);

The programmer expects that the AuthenticateUser() check will always be applied, and the "authenticated" cookie will only be set when authentication succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie.

However, the attacker can set the "authenticated" cookie to a non-zero value such as 1. As a result, the $auth variable is 1, and the AuthenticateUser() check is not even performed. The attacker has bypassed the authentication.

Example - 3

In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data.

authenticated = true;Cookie c = cookies[i];if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue())) {}Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {}