-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a way to encrypt cookies #28
Comments
Never mind. It's already implemented in CookieHandlerImpl |
Hmm, I actually removed this in a recent commit. Are you referring to signing cookies? (Signed cookies values are not encrypted) |
Hi Tim, Yes I am referring to encrypting cookies (via a Java Cipher for instance) Does it make sens? |
You should just use HTTPS for that. |
Sorry for the late answer, it was prety hectic lately. The main issue with 'regular' cookies is that they can be modified client-side. If you use HTTPS it prevents people from eyedropping the data (including cookies) transmitted back and forth between the client and the server. IMHO HTTPS is a must have in almost any web applications. Encrypting cookies (AES 256, CBC for instance) prevents users from tampering data stored inside cookies. In some case, it's perfectly OK to use plain-text cookies. In others cases, we really want to make sure that cookie data can't be modified in any way. From a technical stanpoint, it's a no brainer to support cookie encryption. The 'challenge' though is to make sure that people can use whatever encryption technology they want (AES, Blowfich, HMAc + AES, etc...) I propose we add the interface CookieCodec. We provide a couple of must-have implementations of that interface. We also need to update the CookieHandler as follow: /**
If there is an interest from others people I can work on this and submit a PR quickly. |
+1, I'm in favor. |
I think this would be a nice feature, although usually this requirement can be designed away by never storing important information in a cookie and just using an id to lookup the session on the server side. E.g. the Vert.x session cookies are cryptographically secure random GUIDs so it doesn't matter if they are tampered with. |
The issue with looking up the info on server is, 1) you take up server I think it would be nice to offer support for both server as well as client On Mon, Mar 23, 2015 at 4:05 PM, Tim Fox notifications@github.com wrote:
|
A little security improvement could be to set the HttpOnly flag in order to prevent cookie stealing by an XSS attack (https://www.owasp.org/index.php/HttpOnly). |
Added a new interface Crypto that can be used to encrypt/decrypt String (not only Cookies) Provided an implementation of the Crypto interface based on AES/CBC/PADDING + HMAC Modified existing Cookie classes to add the Crypto feature Signed-off-by: Stephane Bastian <stephane.bastian@monpetitguide.com>
as @leolux says, HttpOnly should be default options for session cookies to help mitigate attacks using the cookie and scripting. In additional the other parts of this issue such as encryption are valuable. |
Instead of encrypted cookies we can sign cookies which is common on other frameworks such as node, Django, php. That would be easier to implement since it is just a endHandler that when active will sign the cookie and a validator when reading the cookie. That and using httpsOnly would already give you a high level of trust. The problem of encrypting a cookie is that clients will not be able to read the cookie anymore unless there is a decrypter at the client side. if you have a decrypted in javascript if will probably make it way to easy to break the security since the scripts would be available freely. |
What is the state of this feature ? Can we sign or encrypt cookies ? Now, using an encrypted (or just signed) cookies to store the session is the default of most web frameworks... The main advantage of storing session in a cookie is because it's more easier to scale (and it doesn't make the app less secure, I would even say it makes it more secure because sessions are not stored in a centralized place). Using httpOnly should be the default too. A well coded web application rarely need to access cookie in JavaScript (and if it's needed it can be enable because it's just an option). Also we should have ability to mark the cookie as "secure" when used in conjonction with https. |
@serphacker it is not implemented since the discussion was still open and no consensus was achieved. Also if we're at it, it could be nice to revisit the session code and see if we could implement a cookie based session storage since at the moment you can only store your sessions (backend wise) using a local or shared map. |
Yes it is more about providing a cookie based session system than a "whole cookie encryption". If the session value is stored client side (in a cookie) it should be :
I did take a look at SessionStore, SessionHandler etc. and it would need a bit of refactoring to support CookieSession. |
@serphacker are you volunteering for a PR for this then? |
I can't now, I don't know yet if I switch from ninjaframework to vertx-web for our next project. So don't count on me now. |
@serphacker ok no problem, i'll mark it as "help wanted" since we are currently hands full with other issues and soon adding support for HTTP2 so this is currently not critical. |
@serphacker @purplefox @pmlopes I'm actually implementing a similar solution on a private project.. |
Closing as there's no activity for more than 1 year. Cookies can be updated or modified easily with a custom handler. |
No description provided.
The text was updated successfully, but these errors were encountered: