oauth-wg / oauth-browser-based-apps

Best practices for OAuth in Browser-Based Apps
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps
Other
25 stars 12 forks source link

6.1.3.2 Question: benefits of encrypting cookie contents in BFF security #31

Closed nike61 closed 9 months ago

nike61 commented 9 months ago

I was unable to find an explanation for the following point: Additionally, the BFF SHOULD encrypt its cookie contents, to ensure that tokens stored in cookies are never written to disk in plaintext format. This security measure helps to ensure protection of the access token against malware that actively scans the user's hard drive to extract sensitive browser artifacts, such as cookies and locally stored data (see Section 8).

What is the advantage of encrypting cookies? If a malicious actor steals the cookie as plain text, couldn't they just send the entire cookie in a request?

aaronpk commented 9 months ago

emphasis mine:

Additionally, the BFF SHOULD encrypt its cookie contents, to ensure that tokens stored in cookies are never written to disk in plaintext format. This security measure helps to ensure protection of the access token against malware...

I believe this is meant to be an additional layer of security when the cookie actually contains the access token. While someone who steals the cookie can use the cookie regardless of whether the contents are encrypted, they can only use it at the BFF, whereas the access token itself might be able to be used elsewhere. I will add some text to clarify this.