Sign cookies with a secret key only known by the server

[calebmer]

This is a takeaway from the thoughtbot Application Security guide.

Cookies are user-controlled input and, therefore, should be treated with suspicion. If possible, don't rely on a cookie.

Cookies can be copied between browsers. Just because a request sends a cookie does not mean that the cookie was sent by the user's original browser. It might come from curl.

One way to retain control over the cookie data is to sign it using a secret key only known by the server. Rails does this for you.

We use cookies to hold user authentication tokens. Think about the lifecycle of a cookie and how to secure them.

[calebmer]

Our tokens are kinda encrypted anyway, does this really matter? Access tokens are signed with a secret only the server knows. Refresh tokens are a UUID generated by the server.

So attacker can’t spoof access tokens since you’d need to know the server only secret.

An attacker could brute force guess a refresh token UUID tho. This would not be a targeted attack, this would give an attacker random access to a session. We should think about how to prevent this.