No, Not Like The Cookie Monster
After reading an article about stealing cookies via using user-built webpages in subdirectories (not subdomains) of a website, I immediately thought of the personal webpages Willamette allows you to set up at willamette.edu/~username/ as a student. A website which didn't take such risks into consideration would allow any user of the system with a personal page to capture all the cookie data the real website is using, most notably PHP Sessions. Sadly Willamette uses HTTP authentication instead of cookie or Session based authentication so (at present) I can't capture anything of value. The only cookies I've so far seen willamette.edu set are cookies for Google Analytics. So at the moment Willamette seems to triumph over this particular hack, but there are countless schools out there which allow users to create their own webpage under the school's domain name with PHP, so I thought I'd let you all have a go at snagging the cookies of hapless visitors to your school's website.