In my web application, I have a single API backend and two frontends written as single page applications. To simplify deployment, I’d like to serve the API on
/api, the admin dashboard on
/admin, and the end user frontend on
/user (or something similar), all on the same domain.
Background: I’ve been using a simple session cookie design for my web app. I have a
users table, and a
sessions table that basically looks like this:
id | user_id | visited_at -----+---------+----------- int | int | timestamp
And a session cookie contains just a session ID, signed with a secret key. I give the cookie an expiration date (but the source of truth is still the timestamp in the DB), and make sure it’s secure and HTTP-only.
Then I came across these threads:
I think tptacek is basically saying that, instead of storing the signed session ID in the cookie, I can make the
sessions table like this:
id | user_id | visited_at ---------+---------+----------- varchar | int | timestamp
id is a randomly generated 16+ byte key encoded as a string, and simply store this string in the session cookie w/o any encryption/signing.
Is this approach secure? Does it have any downsides due to the lack of a signing phase? (I was thinking w/o signing we can’t invalidate all sessions by changing the server secret, but then I think we can just delete all the session from the DB since we are not doing stateless authentication anyway.)
UPDATE: I think maybe one benefit of the signing approach is that I can save some space in my DB by using an integer primary key. But I’m more interested in the security aspect.
I have installed two browser extensions: Privacy Badger and ScriptSave in order to block unwanted cookies. I knew websites would load cookies but I was still surprised by the number. Unfortunately, the web content is usually not displayed and I am eventually forced to allow all cookies to be loaded at least for a session. I can see there are different groups of them: analytics, cdn, tag managers, but some of them have randonly generated names.
I would guess following cookies are not dangerous:
cdn.cookielow.org cdn.sstatic.net cdnjs.cloudflare.com googletagservices.com google-analytics.com adjax.googleapis.com assets.hearstapps.com (?)
But sometimes cookies with random names are loaded:
dstik9906m659.cloudfront.net d176jfkp3gfyt8.cloudfront.net d1bg94bbsh66ji.cloudfront.net
I read anything with cloudfront.net is from amazon. I couldn’t find anything on the cookies above but I still don’t understand the reason for random characters in names?
I am looking for advice on how to be able to recognise genuine cookies and filter out those potentially dangerous. Is it easily possible? Thanks.
I have cleared all the cookies on my chrome, closed the browse and opened chrome, navigated to chrome://settings/siteData
I see two new cookies of facebook fr and sb created right away. Before visiting facebook how these two cookies got created???
So i new to web application security and have a doubt regarding session cookies. Which is more vulnerable:
- Having same session cookies for a user logging in from different machine/browser
- Having different session cookies for a use logging in from different machine/browser
if possible can you provide a quick scenario how each can be exploited
What if a hacker steals my cookies for example using BeEF or something else. What can they do with this information? Can they get any passwords or something?
Using Nginx, I hope to restrict the permissible hosts for cookies. My initial intention was to employ a Content Security Policy for this purpose, but I don’t see an obvious way to do this via a CSP. Ideally I’d find something like
Restrict-Cookies-Header: hostname1.tld hostname2.tld2
Can something like this be accomplished with HTTP headers? Thanks!
For example, assume I get a
NET::ERR_CERT_AUTHORITY_INVALID warning in Chrome, when visiting a website. If I still choose to visit that site, do cookies still get sent as usual (when the site is safe, no warning)?
There is a website with logout button, when I click on logout it just redirects me to login page. If I manually enter the dashboard URL in url bar im still logged in. Is this a security bug for that website and is there any CWE or CVE assigned to this kind of bug?