New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign the auth token cookie and make it httpOnly #215
Conversation
Sign the auth token cookie and make it httpOnly
Really nice, thanks so much! 🐟 |
@eviltrout @tms this broke the message bus cause there is a duplicate code path in current user that was not touched. I am fine with http only, but a lucky guess of a sha1 hash is pretty much as lucky as an astroid hitting while I am typing. Don't see any point in signing these cookies. |
correction, its actually more secure than a sha SecureRandom.hex(EmailToken.token_length) Its basically a GUID, you cant guess a GUID |
My main concern here is that the value never, ever changes, and you don't have to know anything other than the value. So with enough values in use, it becomes less impractical that someone could guess the token of some existing user. Not a specific user, of course, but a random one, and that's enough for bad publicity. |
Signing the cookie requires them to also know the server's secret key, which would be practically impossible without them having compromised the system in a way that made these safeguards irrelevant, but I guess we could also just change That'd move it back into "asteroid hitting" territory, since it would impose the condition you'd have to have the right hash for a specific user, instead of just any user. |
you can't guess a guid no matter how hard you try, the only thing you are On Sun, Feb 24, 2013 at 12:32 AM, tms notifications@github.com wrote:
|
I know it's not practical, it just feels wrong to make it easier than necessary. But that's fine, I'll revert the signing if that's the way you want to go, since the risk isn't appreciable. My other consideration in signing the token was that you could invalidate all of them by changing the site's secret key if there was some situation that warranted that. Currently you'd have to change everyone's token value to get the same result. |
It doesn't sound like it's needed but I think the bigger problem here is On Saturday, February 23, 2013, tms wrote:
|
Yeah, the Alright, I'll go ahead and remove the signing and take care of the test case then. |
Unsign auth token cookies per discussion on #215
Make dropbox image matching more strict
Since this seems to be a non-expiring value, eliminating the potential to make a lucky guess and protecting the cookie from XSS sniffing seems like the best call.