There has been a lot of talk about firesheep; a firefox addon that shows some of the security issues with cookies that have been known for years. I’m not going to go into firesheep (possibly on a later post) but on firefox cookies. This is very basic stuff and i had some extra time last night (and was bored a little) and decided to copy firefox profiles to another computer and i was able to get into websites that the other user had logged into (because of cookies). For firefox i just copied the following files: cookies.sqlite, signons.sqlite, and sessionstore.js which are located on Windows XP at

C:Documents and SettingsUsersNameApplication DataMozillaFirefoxProfiles***.default

These files are pretty much self explanatory but… cookies.sqlite stores the users cookies, sigons.sqlite store the users login ids and passwords (if they choose to save them) and sessionstore.js saves the users session (ie the user saves the tabs when closing firefox). Copy these files to your profile and … you have the idea.

Told you, pretty basic stuff. So how do you prevent this? Well first of all you have to have administrative access to view other users profiles. That prevents a lot of people from doing this, but gaining administrative access isnt hard, epically if the user has physical access to the machine.

So we are assuming that someone has administrative access to the machine, either yourself or an IT department. If you are using a public/work computer consider everything that your doing public knowledge. Here are some things to try, keep in mind that nothing is perfect; anyone with enough time will be able to get the information that they are after.

1) Encrypt your hard drive. This doesnt prevent administrators from doing it, but it slows down everyone else
2) Clear cookies when you close firefox. You can set this by clicking Tools -> Options -> Privacy – set Firefox will “Use Custom settings for History” and there is an option to clear cookies on firefox close
3) Dont save passwords in firefox (or that matter any browser)
4) Set a password for firefox passwords

I’m sure there are other ways to prevent this and i’m sure that you can do something similar to with other browsers.