Closed allezxandre closed 2 years ago
pixelmund
commented
2 years ago We already store the expires property in the saved cookie/payload https://github.com/pixelmund/svelte-kit-cookie-session/blob/728087b3787018eefe4feb07aadf09e4dfbd4340/src/lib/core.ts#L38
pixelmund
commented
2 years ago Here we verify if the date is expired https://github.com/pixelmund/svelte-kit-cookie-session/blob/728087b3787018eefe4feb07aadf09e4dfbd4340/src/lib/core.ts#L190
allezxandre
commented
2 years ago Awesome! I don't know how I missed that.
Cheers
Hello! I'm looking into integrating this library into a project of mine, and I must start by saying that besides the package in itself which looks neat, the README is very well written and easy to follow. Thank you very much for the work!
I was wondering, what would prevent a malicious attacker from just getting a copy of the stateless session cookies produced by this package, and use it to access protected resources indefinitely in the future, regardless of the browser-enforced expiration?
I might be wrong, but from what I understand,
expiresis only used to set the Cookie Max Age, and it is not part of the encrypted/signed payload. So even though the Cookie payload is encrypted, any cookie will remain valid for as long as the server uses the same session secret, even after the actual non-malicious user generated new cookies.One mitigation I see today is through the rotation of secrets, but this is impractical for low-activity applications that do not get deployed often, and have low enough traffic to not have to rotate their encryption secrets.
Another way to prevent this problem would be to add an
expiresattribute to the encrypted payload, but it feels a lot like re-importing concepts from JWTs, and suggests we might need to import other concepts from the JWT world like theissuer, thenotBeforedate, thesubject, theaudience, etc... (see here)Or maybe there is some mechanism that I missed that prevents all that?