duffee / Mojolicious_session_example

A simple Mojolicious application example for authenticating a user and maintaining a session
Artistic License 2.0
10 stars 5 forks source link

Mention the importance of the application secret to stop Mojolicious::Session cookie tampering #28

Open richardleach opened 6 years ago

richardleach commented 6 years ago

Hi, I enjoyed your LPW talk today.

The question of tampering with the cookie in apps using Mojolicious::Session came up today; Sessions.md also mentioned possible tampering in the browser.

This is covered well in Day 16: The Secret Life of Sessions but key takeaways are:

As a side note, Mojolicious::Session uses the HMAC-SHA1 algorithm, which isn't as strong as something like HMAC-SHA256, but should still be fine for use. Use of raw SHA-1 for signatures is definitely not safe any more, but no practical attacks against HMAC-SHA1 have been made public.

Would you like a PR for sessions.md that briefly covers the above?

duffee commented 6 years ago

Hi Richard,

Thanks for your comments. Quick reply. You raise some deeper issues that I need to address.

I've written a little on the default secret in Sessions.md, but since version 7 came out this year (and 8 was released in September) the default secret is generated randomly in your app.conf file which covers point 3.

I'll work up my notes this aft and happily take a PR after 5pm GMT (in about 3 hours)

richardleach commented 6 years ago

Aha, thanks for letting me know about the default secret. This only happens if you do something like "mojo generate app <appname>" though. I often create single-file throwaway Mojolicious::Lite apps and for these the default secret is still the app moniker. This might catch some people out, so still worth mentioning.

Also, you'd think it'd be obvious, but it's also worth reminding people not to re-use good secrets that they saw in a presentation. I've seen lots of cases on Github (not Perl projects) where people have done this. So much so that at my old company, we compiled a list of presentation secrets and used them when trying to crack JWT secrets!