Reputation: 302
Are cookies safe in a Heroku app on herokuapp.com?
I am developing an app, which I will deploy on Heroku. The app is only used within an iframe on another site, so I don't care about the domain name. I plan to deploy my app on example.herokuapp.com instead of using a custom domain on example.com.
My app uses cookies, and I want to be sure that others cannot manipulate my cookies to protect my app against session fixation and similar attacks. If attacker.herokuapp.com is able to set a cookie for herokuapp.com, browsers will not be able to protect me, since herokuapp.com is not a public suffix. See http://w2spconf.com/2011/papers/session-integrity.pdf for a detailed description of the issue.
My question is: When browsers can't protect my users, will Heroku do it by blocking cookies for herokuapp.com?
Upvotes: 4
Views: 4346
Answers (3)
Reputation: 185
Just wanted to post an update for anyone who ran across this question as I did. I was working on a similar problem, except that I wanted to purposefully allow access to the same cookie from two different heroku apps.
"herokuapp.com" and "herokussl.com" are now on the Public Suffix List, so your cookies should be safe if they are set for one of those domains. I ended up having to use custom domains in order to share cookies across both apps.
Heroku also released an article on the topic: https://devcenter.heroku.com/articles/cookies-and-herokuapp-com
Upvotes: 9
Reputation: 302
I just tried to add a cookie from my Heroku app with the response header Set-Cookie: name=value;Path=/;Domain=.herokuapp.com, and to my disappointment, I could see the header intact in my browser. So the Heroku infrastructure does not detect and remove this cross-app supercookie.
I see three possible ways to protect a Heroku app against cross-app supercookies:
- Don't use cookies at all.
- Use a custom domain.
- Verify that each cookie was actually set by your app, and restrict it to the client's IP address by checking the
X-Forwarded-Forheader.
My feature request to Heroku would be that they should filter HTTP responses that goes through their HTTP routing, such that applications hosted on their infrastructure cannot set cookies with Domain=herokuapp.com.
Upvotes: 1
Reputation: 19279
It seems to me that, as long as you set the cookie for example.herokuapp.com, then the cookie is safe from manipulation. The cookie will only be presented to the app running on example.herokuapp.com and to herokuapp.com (where no app runs).
Upvotes: 0
Related Questions
- How can I share cookies between two subdomains of herokuapp.com?
- Cross-Domain Session Cookie (Express API on Heroku + React App on Netlify)
- How to set secure cookie using heroku + node.js + express?
- Not able to set/receive cookies cross-domain using Netlify and Heroku
- Express/Heroku - Cookie set on server web app instead of client web app
- Heroku API not able to access cookies
- How to set a same domain cookie with Heroku subdomains?
- How do I set cookies within Heroku Review App?
- Setting cookies in rails with domain option
- Subdomain cookie sharing in Rails 3 is not working (on Heroku)?