Hacker News new | ask | show | jobs
by shadowfiend 5189 days ago
Yes, that's precisely what I'm saying. So, let me put it differently: what security advantage does an encrypted session cookie confer? I see two possibilities:

- Someone who hijacks a request with the cookie in it cannot see the data in the cookie. But they can access the site as the user, so there is no real world benefit to this fact. - Someone on the same computer cannot see the data in the cookie. But again, they have the cookie value, so they can access the site as the user, so there is again no real world benefit to the fact that they can't see the data in the cookie itself, because they can interact with the site and see the data there.

I guess I'm just looking for an example scenario where the cookie being encrypted offers a concrete benefit from a security standpoint.
3 comments
santadays 5189 days ago
I might be wrong here but I think it prevents against a user tampering their own cookie. Say I store User_Id:5 in a cookie and pass it over an ssl connection. The user can still change from User_Id:5 to User_Id:6 and get user 6's account info. Typically you would have to store a non guessable token instead to avoid this. I think by encrypting the cookie you provide the non-guessable part of the equation without having to think about it. This isn't really a benefit from a security standpoint (as in it doesn't provide more security), but it is convenient.

Could be wrong here, I'm not very familiar with Yesod.

link
cies 5189 days ago
the hashing prevents tinkering/tampering

the encryption prevents reading (and thereby also -- to some extend -- but not specifically tinkering/tampering)

link
gregwebs 5188 days ago
As has been said already there is no benefit. It is just a convenient default session storage.
link
shadowfiend 5188 days ago
Got it! That makes sense, thanks for following my argument through :)
link
cies 5189 days ago
i can think of only one case: that in which the site owners dont want the user (or sidejacker in case of a non-SSL connection) to see some data they wish to put in the cookie.

i'd cannot think of a web app i worked on where this was needed.

(the hashing is cool though -- tinker prevention is common to be a-good-thing)

link
shadowfiend 5188 days ago
Notably, this would only happen if you have data in the user's session that the user themselves cannot get to by using the site. I confess I can't think of any such session data, but I suppose it could exist.

And yes, some sort of HMAC is pretty much mandatory if you're going to do client-side session storage securely, no question.

link