[–] kpcyrd 7y ago ↗ It seems this has all disadvantages of jwt-style sessions, plus a BREACH-style vulnerability in the crypto due to compression if `plain-text-cookie-value` contains data an attacker can taint. [–] tptacek 7y ago ↗ Yeah, I'm pretty confused by this being on the front page. [–] ryacko 7y ago ↗ Worse: “SCS doesn't address replay of old cookie values.”
[–] chrismorgan 7y ago ↗ A better title:RFC 6896 - SCS: KoanLogic's Secure Cookie Sessions for HTTP [2013] [–] jedisct1 7y ago ↗ A better better title: RFC 6896 - SCS: KoanLogic's Insecure Cookie Sessions for HTTP [2013]
[–] jedisct1 7y ago ↗ A better better title: RFC 6896 - SCS: KoanLogic's Insecure Cookie Sessions for HTTP [2013]
[–] kerng 7y ago ↗ This doesn't seem to protect from Pass the Cookie attacks.Edit - it's a common red teaming tactic: https://wunderwuzzi23.github.io/blog/passthecookie.html [–] 0xfffff 7y ago ↗ Correct, it doesn't. If you grab that cookie and then pass the cookie from somewhere else it will work.Section 7.2.3 talks about cookie theft. [–] kerng 7y ago ↗ Yeah, as others have pointed out this RFC is from 2013 - so a bit dated.
[–] 0xfffff 7y ago ↗ Correct, it doesn't. If you grab that cookie and then pass the cookie from somewhere else it will work.Section 7.2.3 talks about cookie theft. [–] kerng 7y ago ↗ Yeah, as others have pointed out this RFC is from 2013 - so a bit dated.
9 comments
[ 1.00 ms ] story [ 28.7 ms ] threadRFC 6896 - SCS: KoanLogic's Secure Cookie Sessions for HTTP [2013]
Edit - it's a common red teaming tactic: https://wunderwuzzi23.github.io/blog/passthecookie.html
Section 7.2.3 talks about cookie theft.