You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The way it's managed, session cookies are signed and encrypted with private_key, so that attackers and clients can't see/modify them without the server knowing.
CookieIdentityPolicy retrieves the cookies from the request with
The last two errors are from Cookie::parse_encoded.
The actual question:
If private_key is leaked, cookies can be altered in such a way that it raises error 1 or 3, and these errors are ignored by CookieIdentityPolicy (which just returns as if the user is logged out).
TLDR: Shouldn't there be a warning if the session cookie is at least correctly signed/encrypted but isn't valid (urlencoded) utf-8? for example
Cookie: my_cookie_name=[random bytes signed and encrypted with `private_key`]
The text was updated successfully, but these errors were encountered:
ghost
changed the title
CookieIdentityPolicy should generate a warning when a private cookie has been tampered with
CookieIdentityPolicy should raise a warning when a private cookie has been tampered with
Mar 26, 2019
Hello
I have a question about the identity middleware and
CookieIdentityPolicy
.let's say I manage my session cookies with
The way it's managed, session cookies are signed and encrypted with
private_key
, so that attackers and clients can't see/modify them without the server knowing.CookieIdentityPolicy
retrieves the cookies from the request withactix-web/src/middleware/identity.rs
Line 352 in 86a21c9
but only returns
None
(i.e. user is logged out) ifreq.cookies()
returns an error.Such errors are returned if:
=
https://github.com/alexcrichton/cookie-rs/blob/9edf0ee7037440bf8244722c50804a278524811c/src/parse.rs#L108The last two errors are from
Cookie::parse_encoded
.The actual question:
If
private_key
is leaked, cookies can be altered in such a way that it raises error 1 or 3, and these errors are ignored byCookieIdentityPolicy
(which just returns as if the user is logged out).TLDR: Shouldn't there be a warning if the session cookie is at least correctly signed/encrypted but isn't valid (urlencoded) utf-8? for example
The text was updated successfully, but these errors were encountered: