Mention the importance of the application secret to stop Mojolicious::Session cookie tampering

[richardleach]

Hi, I enjoyed your LPW talk today.

The question of tampering with the cookie in apps using Mojolicious::Session came up today; Sessions.md also mentioned possible tampering in the browser.

This is covered well in Day 16: The Secret Life of Sessions but key takeaways are:

• Mojolicious::Session incorporates the application secret into the cookie signature to prevent tampering.
• The user can take the contents of a cookie and the signature to try to guess - offline, so the server doesn't see anything - the contents of the secret.
• So it's really important that the secret is changed from the default - which is just the application name IIRC - to something hard to guess (random, has high entropy - the post above suggest 12 chars but I'd go with 17 or more).
• Brute-force discovery of a strong secret is impractical. (Trying all permutations is computationally infeasible.) But there's always the teeny, tiny chance that an attacker could get lucky with their guessing, so periodic rotation of the secret is a good practice.

As a side note, Mojolicious::Session uses the HMAC-SHA1 algorithm, which isn't as strong as something like HMAC-SHA256, but should still be fine for use. Use of raw SHA-1 for signatures is definitely not safe any more, but no practical attacks against HMAC-SHA1 have been made public.

Would you like a PR for sessions.md that briefly covers the above?

[duffee]

Hi Richard,

Thanks for your comments. Quick reply. You raise some deeper issues that I need to address.

I've written a little on the default secret in Sessions.md, but since version 7 came out this year (and 8 was released in September) the default secret is generated randomly in your app.conf file which covers point 3.

I'll work up my notes this aft and happily take a PR after 5pm GMT (in about 3 hours)

[richardleach]

Aha, thanks for letting me know about the default secret. This only happens if you do something like "mojo generate app <appname>" though. I often create single-file throwaway Mojolicious::Lite apps and for these the default secret is still the app moniker. This might catch some people out, so still worth mentioning.

Also, you'd think it'd be obvious, but it's also worth reminding people not to re-use good secrets that they saw in a presentation. I've seen lots of cases on Github (not Perl projects) where people have done this. So much so that at my old company, we compiled a list of presentation secrets and used them when trying to crack JWT secrets!