Un sito Web accetta la seguente richiesta e imposta "_Add_User" come cookie nella risposta:
Richiesta
GET /cgi-bin/webscr?cmd=_Add_User HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: https://www.example.com/myaccount/home
Risposta:
HTTP/1.1 200 OK
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
DC: slc-a-origin-www-2.example.com
Content-Length: 55293
X-EdgeConnect-MidMile-RTT: 127
X-EdgeConnect-Origin-MEX-Latency: 1011
Date: Tue, 19 May 2015 15:47:18 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: navcmd=_Add_User
Strict-Transport-Security: max-age=63072000
Posso cambiare "_Add_User" in "TEST" e il cookie verrà modificato in "TEST".
È possibile sfuggire al cookie e causare una risposta divisa? Posso sfruttare questo comportamento in qualsiasi modo?