I think that you will find that while possible to break an encrypted cookie eventually, it is by no means a trivial task.

If I can display your cookie to you, I can send it to me. If I can get your cookie, I can login as you.

Most Javascript cookies are encrypted at the server using (most likely) an MD5 salt. The ones that are not usually end up serving as a lesson to others about security and web application architecture embarassement.

Here is my password per Petrucio's site...

userpass=hackmare%257ChaY8je3nfzM7s%257C

I invite you to log into my account and send me a message telling me you did it.

Update by Dog and Pony: I can do better than that. I am very sorry for this intrusion, but what better way to prove my point? After all, you invited me into your account. And no, I will not tell you how I did it. Just suffice to say that encryption does not matter in this case. I'd really advice you to change your password fast. I could do it for you, but that wouldn't really help, now would it? :)

Update by hackmare: Very well done, dog_and_pony. I am clearly wrong and misinformed.
I would very much appreciate a primer on where my understanding of cookie security is wrong.
Is it that the cookie is only appearing encrypted on my machine while it is not, or that you know the server salt, or that you used an improved cracklib (mind you the pwd string is not that good), or that you got a cleartext cookie?

Please reply in another post rather than in mine. And no offense taken for your demonstration.

While not impossible, it is much too difficult to do for the vast majority of hackers. If it was not the case, there would be no such thing as cookies or secure web apps. I seriously doubt anyone without a crypto background can do it.

But this does not change the fact that exposing all of us to the risks of cross-site scripting is a Very Bad Thing for us and for PerlMonks's reputation if there is any problem

hackmare.