Cookie Cutter
Northbrew Coffee built a slick rewards site and a slicker loyalty cookie. They put a little too much information inside it.
The Scenario
Northbrew Coffee Co. — an indie roaster with eleven cafés across the Pacific Northwest — just launched their loyalty rewards site. The engineering team baked their account state into a single browser cookie so the experience would feel instant. They picked an encoding that's easy to read on the wire and easier still to read off it.
Challenge Intel
Synopsis
An entry-level look at how cookies carry state — and what happens when developers put sensitive data into a 'lightly obfuscated' value.
What It Is
Northbrew's site sets a `nb_session` cookie containing base64-encoded JSON with the user's loyalty tier and an unrelated debug field that should never have shipped. Players open dev tools, copy the cookie value, and decode it. The lesson is that base64 is an encoding, not encryption, and that browsers expose every cookie a site sets.
Who It's For
Brand-new web hackers — anyone who has never opened the Application tab in dev tools.
Skills You'll Practice
- Inspecting cookies in browser dev tools
- Recognising base64 by sight
- Decoding base64 with `base64 -d`, CyberChef, or browser dev tools
- Reading JSON the server sent you
What You'll Gain
- First confident decode of a base64 string
- An instinct to inspect every cookie a site sets
- Understanding that 'encoded' is not 'encrypted'
- Vocabulary for reasoning about client-side state