BitsDevelopmentTeam / bits-server

Presence and logging daemon for BITS system.
GNU General Public License v3.0
5 stars 2 forks source link

Make signed cookie even safer #12

Closed esseks closed 10 years ago

esseks commented 11 years ago

NOTE: this is not really an issue, SSL solves it completely, still it came to my mind and I would like to share it with you.

Currently, the signed cookie contains the username. This is sound against cookie forging, because the signature is verified by the server, but it is vulnerable to cookie stealing: anyone owning the cookie can impersonate the logged user for a day at most (cookies are timestamped).

SSL solves this issue, but in the meantime we could consider inserting some additional data in the signed cookie and verifying it upon each request. Here are pros and cons of storing various user data:

  1. user agent: can be spoofed even more easily than the cookie, not sound.
  2. user IP address: cannot be spoofed easily, but there are situations where a user's IP address change legitimately: when accessing from a mobile phone, when moving from one campus building to another...
esseks commented 10 years ago

We have adopted TLS, the only sound solution. No more need to investigate this.