Replies: 12 comments 17 replies
-
|
Beta Was this translation helpful? Give feedback.
-
I think to accommodate this use case, the save() function in the SessionStore trait would have to return at least the session identifier (or an Option wrapping one), and for the middleware to use the Set-Cookie header whenever the implementation returns such a session identifier That would allow a client-side storage implementation to fit the trait, by serialising and signing the session data into a new identifier |
Beta Was this translation helpful? Give feedback.
-
I think this is in conflict with a core design consideration of |
Beta Was this translation helpful? Give feedback.
-
There are use cases where the design and operation of the server-side is much simpler if client-side sessions are a possibility, i.e. if there is no DB and having server-side sessions is the only reason a DB would be needed But, it's understandable if such use cases are firmly out of scope for this project |
Beta Was this translation helpful? Give feedback.
-
Returning to Django for a moment, it does provide serialization to the cookie, but it's discouraged: it represents a serious security risk and comes with other caveats, like cookie size. Looking back on |
Beta Was this translation helpful? Give feedback.
-
For the record, the Elixir session frame work recommends storing sessions in cookies, and it is the default: https://hexdocs.pm/phoenix/1.3.0-rc.1/sessions.html#cookies If this is a security issue or not, not sure. I guess it depends on what the session is used for, and what the consequences would be if an attacker got access. e.g. the risk of somebody stealing a not-expired token from a logged out session in order to access my web site that allows turning on/off my lights is pretty remote IMHO. But perhaps it is risky that the Pheonix docs don't even mention any of the limitations of the default method. So I could imagine people are using it inappropriately without realising. e.g. if I logged out of my bank on a shared computer, I would be somewhat stunned and surprised if somebody could still access my bank account using the already obtained token. Regardless, I plan to upgrade my app to use a database. At least attempt to do so :-). If this bug report is closed with "working as designed" I would be slightly sad, but this is OK with me. |
Beta Was this translation helpful? Give feedback.
-
I haven't really looked at this closely, but async-session implemented a cookie store. We might be able to do the same. (I'm not sure it should be baked into this crate, again regarding security.) |
Beta Was this translation helpful? Give feedback.
-
Session state via signed/encrypted cookies is pretty common and very useful since it's stateless (ie, no need for a backend storage). Django has warnings about it because that's specific to their own implementation where, by default, the cookies are only signed, not encrypted. There's nothing inherently insecure with encoding session state in a signed/encrypted cookie. The implementer just needs to understand what they're doing. Hence the warning in Django's docs. It's not "discouraged". I would love to be able to use signed/encrypted cookies for session storage instead of a dedicated session storage backend. |
Beta Was this translation helpful? Give feedback.
-
There's another aspect of not signing session id in cookie: DB leak. In some sense, session cookie is like a password in single factor auth: if you can get/craft a copy of valid cookie for some user, then you can impersonate them. If attacker could get a copy of DB, and there's straight up session ids inside, then attacker could impersonate any user with active session. Imagine storing raw passwords. There's at least two ways of solving this, both rely on MAC to implement peppering of sorts. One is "usual": sign cookie value before setting it and validate signature in cookie before accepting. Signature could be as simple as attaching HMAC-SHA256, computed on separate secret. Now attacker needs to forge HMAC as well, and secret for it should not be present in DB. Other is reversed: cookie values are not signed, but we avoid storing them "raw" in DB, and instead store hash, just like with passwords. For example, to verify incoming session id from cookie one could split that id in half, use one part to locate record in DB, calculate HMAC on another part using separate secret, and check if that matches hash in DB in constant time. Here's useful post on that technique: https://paragonie.com/blog/2017/02/split-tokens-token-based-authentication-protocols-without-side-channels I've just checked So, I think that some way of protecting against DB leaks must be implemented, or even both (to allow crate users to choose their own adventure). Signed cookies could be implemented in a single place, somewhere around part that generates Line 34 in 060790d Hashes in DB would require either to implement support in every store, or to change Just to be clear: I'm not against stateless sessions per se, or their support in this crate. Even if public API for session is same, they are two different things design-wise, and session manager would be very different. For example there's no "store" at all in stateless sessions. There's a need for signing even for stateful sessions, just like they are implemented today. I'm looking for a way to use stateful sessions in one of my projects. I'm interested in using tower-sessions, and as a workaround, I could just copy existing store and add support for hashing inside |
Beta Was this translation helpful? Give feedback.
-
I've put together a PR that enables signing and encryption via feature flags. It's a bit gross to gate a property of the session manager struct behind a feature flag like this, but I couldn't immediately think of a better way that wouldn't involve having to implement |
Beta Was this translation helpful? Give feedback.
-
Signing the session ID cookie would allow the app to avoid making a database query when the cookie contains a value that has been tampered with. That alone should be a good enough reason to allow signing the cookie even though it only contains a random identifier. |
Beta Was this translation helpful? Give feedback.
-
Use case for client side session: Currently my server creates a new session also for machine side calls (such as kubernetes health checks) which leads to an continous increase of memory. Is there a way to work around that or ideas how we could prevent such behavior in future? For simplicity the layer covers all my routes. |
Beta Was this translation helpful? Give feedback.
-
This crate is suppose to replace the axum-sessions crate - which is now deprecated. But as far as I can tell, axum-sessions supports storing sessions in signed cookies (https://docs.rs/async-session/latest/async_session/struct.CookieStore.html), but this library does not.
My axum application does not have any kind of database, and uses oidc to authenticate. Adding a database just to keep track of the login would appear to be an overkill.
At the present, it would appear that the MemoryStore is my only solution, but presumably that will lose all sessions on restarting my program.
Beta Was this translation helpful? Give feedback.
All reactions