Skip to content

Cookie store secure ? #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nicolaspernoud opened this issue Jul 17, 2022 · 2 comments
Closed

Cookie store secure ? #40

nicolaspernoud opened this issue Jul 17, 2022 · 2 comments

Comments

@nicolaspernoud
Copy link

Hello,

In documentation it is written that the data in the cookie is only signed, but not encrypted. I understand that it is signed because the cookie id is an hash of the cookie data, and attempting to alter only the data will fail...
But since there is no (external) signing key, what would prevent someone to forge a cookie with any data for a website ?
If I understand correctly (and maybe I don't), that would be a severe security issue ?!
Would it be possible to pass a server known only key to the CookieStore::new(a_secret_key) to sign all the cookies (and deactivate them all if the key is changed) ?

Thanks,
@ghost
Copy link

ghost commented Sep 25, 2022

I'm using axum and the axum-sessions crate helped me get a grasp on what cookie signing might look like with async-session. If there is a specific implentation for whatever framework you're using, it might help to have a look at that. Regardless of framework though, the axum example should tell you what you need to know. I started by looking for where and how the key variable is used.

@nicolaspernoud
Copy link
Author

Ok, thanks, it is clearer now !

@tekul tekul mentioned this issue Jan 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nicolaspernoud