Thread: How to change username in cookies? e.g. [email protected]
View Single Post
  #8  
Old September 1st 10, 05:32 AM posted to microsoft.public.windowsxp.security_admin
VanguardLH[_2_]
external usenet poster
  
Posts: 10,881
Default How to change username in cookies? e.g. [email protected]
I don't know how you renamed your account since you didn't describe your
procedure. I'll assume that you went to Control Panel - User Accounts
- Change an Account, selected your account, and clicked on Change Name.

Say your username had been marylamb. If, in a command shell, you had
run the commands:

echo %username%
echo %userprofile%

then they would've displayed:

marylamb
C:\Documents and Settings\marylamb

That's the base folder under which, by default, your shell folders get
created (My Documents, Favorites, Cookies, etc). You can move those
shell folders to other paths, like using TweakUI, but that doesn't
change the definition of what is your userprofile path. When you FIRST
logged into your Windows account, the OS created a userprofile path (and
the shell folders under there) based on what was your username at THAT
time. The username specified the FIRST time you log into an account
gets permanently recorded for that account. You don't even have
userprofile folders until the first time you log into an account. Stuff
gets recorded and created on the first login that you can't change
thereafter.

Say you later renamed your Windows account from marylamb to ednorton.
You were logged in as marylamb and then logged out. You login but now
specify ednorton as your username

By the way: You'll notice that you can still login as marylamb, so you
have 2 names you can use for login: marylamb and ednorton.

You are now logged in as ednorton. Go run the above 2 commands again in
a command shell. What you'll see for output is:

marylamb
C:\Documents and Settings\marylamb

Notice that neither your username or userprofile path changed. Huh?
You just logged on using ednorton but the environment variables still
show you by your old name and your userprofile path hasn't changed.

You changed the name of your Windows account, not its settings. Think
of this like putting name stickers on guests. A guest might grab
another sticker to put over the one he was already wearing. Did the
person change? No, just the writing on the sticker. You are still
logging under the same old account. Changing the name didn't change
what account you used for login. Your username is NOT the same as your
account name. Those are different entities. That in 99.999% of Windows
installations they have the same value has led to everyone thinking they
are the same thing.

Problems might arise from changing the name of your Windows account,
like EFS might not let you decode correctly anymore, but most stuff
should work because everything is defined just like it was before.
Paths didn't change because because you changed the name of your Windows
account. If they did, there would be a very long wait as Windows had to
physically copy all the files to new paths or rename all those paths and
any object that pointed to those old paths to use the new path, like
shortcuts. Apps that used to work would malfunction because the paths
got changed.

If you hunt around the registry looking for instances where your old and
new account names (and your username) are used, you find only a few
places (that aren't part of some config for an app that was stored in
the registry). That's not where the username gets recorded. An account
doesn't exist until the first login for that account. Thereupon a lot
of stuff gets recorded in the SAM (Security Accounts Manager) database.
That includes the SID (security identifier, a very long string) and the
username used when first logging on.

Windows tracks your account by a unique SID (security identifier) in its
SAM (Security Accounts Manager) database. In there is probably where
your username gets stored. That's the username used on the first login
to the account. When you change the name of your account, that doesn't
create a new account. You are still using the same old account with a
new name but Windows still has the same SID assigned in its databse (as
well as registry entries under the HKEY_USERS hive) to that old but
renamed account. That's why when you rename your account there is no
change in the values of %username% and %userprofile% because those comes
out of the SAM database (or possibly from some hashed or encrypted
registry items that are binary so you can't find them using a text
search). You renamed your account but its SID remains the same (it's
still the same old account) and base config settings come out of the SAM
database.

In fact, if you have Windows' taskbar configured to show the account on
which you are logged in (by showing the "Logoff account" entry), you
might've logged on using "ednorton" as the username but you'll notice
the old account name of "marylamb" is shown under the Start menu.
Renaming an account can get a lot of stuff out of sync. So your account
was named marylamb, you renamed it to ednorton, but the logoff menu
still shows marylamb as well as the environment variables that are
defined by the OS out of values recorded for the account in the SAM
database.

Now you have a clue why renaming your account had no effect on what
Internet Explorer used to name a cookie. It uses the account name that
was originally stored on first login for the SID of the account under
which you logged in. Rather than say IE uses:



for a cookie name, probably better would be to say:



For the vast majority of Windows installations, account name and
username are the same to the first form is usually the syntax cited on
how IE forms filenames for cookies.

So IE is using your USERname, the one that was originally used to define
that same old account that you renamed. Renaming the account changes
the login credentials (i.e., the username specified there) but not the
username by which the account was first referenced or recorded.


Coming all the way back to your original inquiry (and now that you know
the username will remain fixed for an account no matter what account
name you give it) ...

The username that IE prefixes onto the filename for a cookie
) is NOT sent anywhere when the site asks the
web browser to divulge the *content* of that site's cookie that it
previously deposited on your host. Your username is NOT seen in the
data sent to the site. The site can only see what is *inside* the
cookie (a .txt file), not what it is named.

As I recall from reading some Javascripts, it is possible for a web site
via script in the web page delivered to your host to specify the domain
portion of the filename that the web browser uses when creating the
file. The web browser determines the username portion, the javascript
can determine the domain portion, the web browser decides the filetype
(of .txt) so you get - but the site doesn't get
to define nor discover the username portion.
Ads