Open asavageiv opened 3 months ago
Yes, that’s a great idea! 😄 Thanks for offering to tackle this!
Is storing the challenge in the cookies allowed per the specification? https://w3c.github.io/webauthn/#sctn-cryptographic-challenges
Could an attacker who can see the cookies being sent replay an authentication request to gain access to the system? Deleting the challenge from the session doesn't prevent that, right?
Shit; it’s possible, yeah; based on these docs: https://guides.rubyonrails.org/security.html#replay-attacks-for-cookiestore-sessions
We should have integration or system tests that test this session replay attack scenario; and figure out next steps if it is possible.
my plate is swamped currently, could you write these tests?
Unfortunately I am also swamped at the moment. Do you agree it's a non-issue for HTTPS?
Would you be interested in a PR that adds
store_challenge_in_jwt
toAuthenticationInitiationHelpers
? This would help out apps that can't use cookies.