Support Authenticated Encrypted Sessions #2317
Comments
marcusdacoregio
changed the title
|
Keeping secret key is a challenge. |
|
With @marcusdacoregio & @quaff guidance, I would like to work on this issue. |
|
Any progress on this one? Coming from Rails it's really weird there is no out of the box support for this in Spring Boot, I guess I will have to roll my own implementation |
|
Hi, @tarmolehtpuu. Thanks for reaching out. I plan to add it to 3.3, but most likely it will be included in the second milestone release. Please, subscribe to the issue to get notified about new updates. |
marcusdacoregio
changed the title
marcusdacoregio
changed the title
|
Hi, @tarmolehtpuu. Can you share a bit more how it works on Rail's side? Does Rail's use it for the authentication session cookie? How does it work when you have a few session attributes, are all attributes written to the cookie? |
|
@marcusdacoregio I can chime in here - Rails does indeed write additional attributes to the cookie (I learned that the hard way, since it's easy to exceed the 4k cookie size limit that way). You can find Rails' implementation in https://github.com/rails/rails/blob/main/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb Also interesting to get some inspiration would be the implementation of ASP.NET Core: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0 Be aware that these implementations do not seem to have protection in replay attacks that were raised in https://spring.io/blog/2014/01/20/exploiting-encrypted-cookies-for-fun-and-profit/. |
|
Thanks, @MatthiasWinzeler. I'm trying to identify if users really need the session attributes in the session cookie or what they are really looking for is a way to encrypt the |
|
@marcusdacoregio I can't talk for others, but I was looking to store a JWT token in the session (since that became a recommended pattern in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-cookie-based-session-manage) - not sure whether that's in the |
|
This can be achieved using |
|
@marcusdacoregio to make sure I understand you correctly: so this issue right here would enable us to store the JWT obtained by your link above (which is indeed what I'm wanting to achieve) and store it in the encrypted cookie? if yes, then this issue here is exactly what I'd need for my use case. |
|
This support would enable us to store any session attribute in an (or more than one) encrypted cookie, if the JWT is in there, it doesn't matter from Spring Session perspective. Currently, you can store the access token (as a session attribute) in the session, save that session somewhere, and then return to your client only the session id. There is no need for encryption since all session information is stored on the server side. If you are using Spring Cloud Gateway for your BFF, you can rely on the |
|
@marcusdacoregio thanks, cool, I didn't know that Spring Cloud Gateway supported this. Having a different approach with the encrypted/signed cookie might be worthwhile nevertheless - for one, it's a recommended way to store access token in the BFF architecture which is recommended to build OAuth2 browser-based apps:
|
|
Yes the entire session is serialized in the cookie, which has the nice property of making all the spring boot apps stateless (client will pass the session state via the encrypted cookie). Using that to store has the 4kb limitation, but upside is that the request can go to any instance. |
One alternative that we have to provide stateless support is to store the session data in an authenticated encrypted cookie.
The Rails Session Storage documentation gives a good insight into the pros and cons of that approach.
Related:
The text was updated successfully, but these errors were encountered: