[snoyberg]

The clientsession package (which is what we use) both encrypts and applies a hash to the payload. Hashing prevents users from tampering with the data, and encrypting prevents inspection of the data. This means that you can even store sensitive data in a cookie without worrying if it's being compromised. (Not to say I recommend that practice, but it is possible.)

There is of course some performance overhead to encrypting, but Felipe's skein package has been highly optimized, and Yesod is still able to achieve ~50,000 req/sec on modest hardware. (Apologies for not having more accurate numbers, I haven't run our benchmark suite on EC2 in over a year.)

[shadowfiend]

The content of the cookie isn't compromised, but you can trivially sidejack a cookie on an unencrypted connection and access the information through the website itself, in essence stripping any security. Arguably encrypting the cookie is a waste of processor time, but more importantly I think you may be giving people a false sense of security. The proper way to do secure interactions is via SSL, and I'm not sure encrypted cookies vs simply HMACed cookies gives you any true security advantage (as session storage or anything else).

[gregwebs]

SSL is (important as you say but) orthogonal to this issue. If you steal a non-encrypted cookie and take over a user's session the result is the same.

[shadowfiend]

Yes, that's precisely what I'm saying. So, let me put it differently: what security advantage does an encrypted session cookie confer? I see two possibilities:

- Someone who hijacks a request with the cookie in it cannot see the data in the cookie. But they can access the site as the user, so there is no real world benefit to this fact. - Someone on the same computer cannot see the data in the cookie. But again, they have the cookie value, so they can access the site as the user, so there is again no real world benefit to the fact that they can't see the data in the cookie itself, because they can interact with the site and see the data there.

I guess I'm just looking for an example scenario where the cookie being encrypted offers a concrete benefit from a security standpoint.

[santadays]

I might be wrong here but I think it prevents against a user tampering their own cookie. Say I store User_Id:5 in a cookie and pass it over an ssl connection. The user can still change from User_Id:5 to User_Id:6 and get user 6's account info. Typically you would have to store a non guessable token instead to avoid this. I think by encrypting the cookie you provide the non-guessable part of the equation without having to think about it. This isn't really a benefit from a security standpoint (as in it doesn't provide more security), but it is convenient.

Could be wrong here, I'm not very familiar with Yesod.

[cies]

the hashing prevents tinkering/tampering

the encryption prevents reading (and thereby also -- to some extend -- but not specifically tinkering/tampering)

[gregwebs]

As has been said already there is no benefit. It is just a convenient default session storage.

[shadowfiend]

Got it! That makes sense, thanks for following my argument through :)

[cies]

i can think of only one case: that in which the site owners dont want the user (or sidejacker in case of a non-SSL connection) to see some data they wish to put in the cookie.

i'd cannot think of a web app i worked on where this was needed.

(the hashing is cool though -- tinker prevention is common to be a-good-thing)

[shadowfiend]

Notably, this would only happen if you have data in the user's session that the user themselves cannot get to by using the site. I confess I can't think of any such session data, but I suppose it could exist.

And yes, some sort of HMAC is pretty much mandatory if you're going to do client-side session storage securely, no question.