New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authkey / cookie login security. #5266
Comments
Cookies are already signed and use httpOnly. See |
Do you have any other concerns? |
Ah, i found it. Still the other concerns remain valid:
(Not sure why adding the duration to the cookie, since afaik you cannot reliably tell when the cookie was created). |
|
That's why we have authKey which can be regenerated in this case to invalidate the login cookie.
Again, this can be implemented with the help of authKey and validateAuthKey().
cookieValidation prevents cookie tempering. Even if you turn off cookieValition (which you should have very good reason to do), the presence of authKey will still help to make sure you cannot make up a cookie. |
I agree but the docs suggest authkey "improves" security, which implies there is security without it. I mean all these things are not immediately clear from the authkey / validateAuthKey documentation. Validity should be part of the cookie validation; since changing the expiration date is tampering with the cookie. |
Isn't this true according to my description above? Without the authKey and if you turn off cookieValidation, you can fake a cookie and act as an arbitrary user.
The requirement such as expiration of authKey is application specific. I don't think we should explain it in the doc. It may be suitable as a cookbook tutorial.
We ARE using duration to set cookie expiration time. |
Okay.. Note however that duration is not used in the sense that a cookie expiration time is not enforced (i can edit it in my browser). |
This is by design - duration is used to set cookie expiration time, which as you said, can be modified as you want on the client side. If you want to enforce strict auth status duration that doesn't allow client modification, you have to implement it yourself (you can do so by manipulating |
I understand how it works, but this is clearly not correctly documented: Cookie Validation ¶ How is changing the expiry date of a cookie not a modification!? |
Cookie validation only protects the cookie value from being tampered. |
Regardless of what you choose to do, your reasoning is wrong:
You can never "send" a cookie in a request if you did not receive that cookie from the application; it wouldn't pass validation. |
Modified the doc to make it clearer. |
check your authKey afterLogin if it is null or empty try regenerate it and save |
According to the documentation the authkey adds extra security to the remember me cookie.
I am confused as to how it does this.
Why not instead sign the cookie!?!?!
Basically the documentation should say "the auth key adds very little to the otherwise totally insecure remember me cookie".
By implementing the above suggestions:
The text was updated successfully, but these errors were encountered: