Additional Message Data for signing only.

[genusistimelord]

So I would like to know If it would be OK to update the Signed and Encrypted Cookies to allow an Addition &[u8] or &str to the Functions parameters to allow users the ability to Append things like IP, UserAgents, JA3 hash to the Message Portion of the Signing procedure. I think by doing it with a &[u8] or &str would allow the users to add whatever Additional information needed for signing without having to insert this information into the cookies value. This will help secure cookies and tie them more Directly to the browser they were created for.

We could do this by creating some new functions that could handle the signing with additional information for the message. Or we could do API breaking changes. Either way I see this as a good way to enhance Security for Cookies.

[SergioBenitez]

I'm not sure I follow. Why can't that information be part of the cookie value?

[genusistimelord]

For encrypted cookies it wouldn't matter since it is encrypted, But for signed cookies you don't want this there. If someone were to intercept this then they could simply ensure their IP, User Agent, JA3 finger print all match the end user to be able to reuse the cookie as is. The purpose is so we can make sure an outside threat cant just steal the cookie and reuse it else where. The only time this can not be fully prevented is if they can get all of that information OR if they were capable of using the browser that requested the cookie directly. If they are able to use the browser directly then you are already compromised and there is not much we can do.

[SergioBenitez]

It seems you can accomplish what you want by simply hashing those values and then putting the hash in a signed cookie. I don't think we need anything special in this library to support your use-case.