This is a good vulnerability to be aware of, but the OP is probably wrong about "server maintains the authentication cookie" -- what's probably going on is that the servers simply don't maintain state at all, the cookie alone has the state, so replaying the cookie will always work.
Just about any Rails app using the default cookie-stored sessions will behave the same. Not because the server is "maintaining the authentication cookie", but precisely because the server is maintaining no state at all, it's all in the cookie (which in the latest versions of Rails is by default encrypted and signed, to prevent snooping or tampering -- but that doesn't prevent replay).
I think most people set cookies https only, figure they can't therefore be sniffed, and don't worry about it.
If you wanted to deal with it, still without maintaining session state on the server, I guess the best thing to do would be to put a timestamp in the cookie, and refuse to honor 'old' cookies? That still wouldn't make the cookie invalid as soon as someone pressed 'logout', and would be tricky with intended 'long lived stay logged in' cookies.
Eliminating server session state can make things (especially scaling) a lot simpler. I think it's probably good enough to https-only your cookies and call it a day. No?
This seems to imply that servers are saving a copy of the cookie on their end. But in reality it's more like dropping a cookie with enough information in it to uniquely identify the user. It then encrypts and signs the cookie. If the server can decrypt the cookie and the signature is valid it knows that this is a valid auth cookie.
Very good analysis about cookie in such extremely popular websites but it turns out that they are not having proper security measures in place to protect users confidentiality. Very pathetic. This is why, some sites like OSIpage (http://www.osipage.com) requires both password+security code combination for additional security and does not rely on session cookies.
I just don't understand why people are so determined to preserve their cookies. It's so easy to get rid of them.
I set Firefox to "Clear history when Firefox closes", and make sure that includes cookies (the only thing I don't routinely clear is "Browsing & Download History"). I exit Firefox at least once a day. Other browsers make it nearly as easy. E.g. Safari has a menu entry "Reset Safari ...". Voila, no stale cookies.
Is it really that difficult to exit a browser once a day? Of course, I don't keep dozens of tabs open, so maybe it's easier for me than for people who have adopted a different browsing methodology.
Is it really that difficult or time consuming to log in to a website once a day? I prefer to, I never reuse passwords across sites, so this way I keep all my different passwords fresh in my mind.
6 comments
[ 3.2 ms ] story [ 23.3 ms ] threadJust about any Rails app using the default cookie-stored sessions will behave the same. Not because the server is "maintaining the authentication cookie", but precisely because the server is maintaining no state at all, it's all in the cookie (which in the latest versions of Rails is by default encrypted and signed, to prevent snooping or tampering -- but that doesn't prevent replay).
I think most people set cookies https only, figure they can't therefore be sniffed, and don't worry about it.
If you wanted to deal with it, still without maintaining session state on the server, I guess the best thing to do would be to put a timestamp in the cookie, and refuse to honor 'old' cookies? That still wouldn't make the cookie invalid as soon as someone pressed 'logout', and would be tricky with intended 'long lived stay logged in' cookies.
Eliminating server session state can make things (especially scaling) a lot simpler. I think it's probably good enough to https-only your cookies and call it a day. No?
I set Firefox to "Clear history when Firefox closes", and make sure that includes cookies (the only thing I don't routinely clear is "Browsing & Download History"). I exit Firefox at least once a day. Other browsers make it nearly as easy. E.g. Safari has a menu entry "Reset Safari ...". Voila, no stale cookies.
Is it really that difficult to exit a browser once a day? Of course, I don't keep dozens of tabs open, so maybe it's easier for me than for people who have adopted a different browsing methodology.
Is it really that difficult or time consuming to log in to a website once a day? I prefer to, I never reuse passwords across sites, so this way I keep all my different passwords fresh in my mind.