Closed ghost closed 5 years ago
this is good point. would you provide PR?
Sure, though it doesn't seem that cookie-rs has support for cookies that are not utf-8
You forked cookie-rs, I can patch the fork and solve the breaking changes in actix-web?
sure
Hello I have a question about the identity middleware and
CookieIdentityPolicy
.let's say I manage my session cookies with
The way it's managed, session cookies are signed and encrypted with
private_key
, so that attackers and clients can't see/modify them without the server knowing.CookieIdentityPolicy
retrieves the cookies from the request with https://github.com/actix/actix-web/blob/86a21c956c247ab098a7631bc18ae60032ef5eac/src/middleware/identity.rs#L352 but only returnsNone
(i.e. user is logged out) ifreq.cookies()
returns an error.Such errors are returned if:
=
https://github.com/alexcrichton/cookie-rs/blob/9edf0ee7037440bf8244722c50804a278524811c/src/parse.rs#L108The last two errors are from
Cookie::parse_encoded
.The actual question: If
private_key
is leaked, cookies can be altered in such a way that it raises error 1 or 3, and these errors are ignored byCookieIdentityPolicy
(which just returns as if the user is logged out).TLDR: Shouldn't there be a warning if the session cookie is at least correctly signed/encrypted but isn't valid (urlencoded) utf-8? for example