-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session state's email stored in clear in the cookie #60
Comments
With the |
In the session_state in the If you agree I can do a PR with this fix. |
@costelmoraru What is the problem with this approach? In this case the cookies are only available by the browser to be sent over HTTPS (so no man in the middle reading the cookie) and can't be read by client-side scripts (so no malicious scripts finding anything out), the only real way to see the content would be on the user's machine using something like developer tools? But I would expect the user would know their email anyway? I appreciate enterprises can be quite strict with their security requirements but I am struggling to see the security flaw here Your proposed solution does however seem sensible |
Issue closed by the PR #120 . |
Expected Behavior
Some enterprises requests that no information should be exposed through the cookie value if cookie-secret is provided.
Current Behavior
However, the current implementation is just base64 encoding the email value, thus exposing the information. In the same cookie, the Session State encrypts the accessToken, IDToken, ExpiresOn and RefreshToken.
Possible Solution
During the EncryptString part of the session_state, when a cookie.Cipher is provided, encrypt also the account info made out of email and user together with the rest of the SessionState fields.
The same time, the Decode of the Session State should take into consideration and decrypt the email and user.
Steps to Reproduce (for bugs)
Context
Some enterprises are now allowing exposure of any useful information in the cookies.
Your Environment
The text was updated successfully, but these errors were encountered: