Security warning: Replay attack possible

[clecap]

If I am not completely mistaken the encryption lacks a proper randomization and therefore is susceptible to a replay attack.

Who would prevent an attacker from intercepting an encrypted cookie and sending the encrypted packet a second time, not bothering that she does not know the key - since she already has the encrypted version and could deduce the meaning from context?

[erikeckhardt]

This is a good point and the developer needs to reason about the fact that encryption makes details opaque and hides information in its original form, but does not remove the possibility of, as you say, understanding the meaning of the encrypted message and reusing it.

My suggestion is that developers think of encrypted cookies as if they were credit cards protected by a chip. Without the card, no one can do anything, because the chip's action can't be spoofed. However, with the card, or a copy of the card, one can do anything the original card allowed.

This means the encrypted cookies should have an expiration date and should be protected with additional measures as much as possible, such as using the flags httpOnly, secure, and potentially making sure the caller presents an additional value (from a form or script or local storage) that matches the cookie, making it harder to use the cookie outside of its original time/context/browser.