CODEWITHSUNDEEP
securitysessioncookies
CodyBugstein
CodyBugstein

Reputation: 23322

How secure are sessions?

From what I understand and have read about sessions, a website, like Facebook, will store a code on your computer that your computer sends back to Facebook every time you visit their site. This saves you the trouble of logging in every time you want to see your news feed.

My question is, how is this in any way secure? Can't anyone write a simple program to find this code on your computer - just like Facebook does? Or if you let your geeky friend use your computer, how do you know he doesn't copy your session codes and just use your account from somewhere else?

I read that sessions are more secure than cookies because cookies actually carry information like your username, password and other vital info. But if a session code can provide access to your whole account anyway, isn't a session just as insecure?

Are there any other factors at play that I don't know about or are sessions really this insecure?

Upvotes: 0

Views: 321

Answers (2)

ircmaxell
ircmaxell

Reputation: 165201

My question is, how is this in any way secure? Can't anyone write a simple program to find this code on your computer - just like Facebook does?

Yes. Someone can do that. And they can steal your session credentials. If your computer is compromised, you can't build any form of security on top of that. If you can't trust the computer, you can't trust the browser. And if you can't trust the browser, there's no way you can possibly trust the website.

So we need to start with a fundamental assumption. To secure the website, we must assume the browser (and hence the computer) is secure.

If you can get code onto the computer to search for the session identifiers, it's game over already, since you can typically do much worse while you're there.

Or if you let your geeky friend use your computer, how do you know he doesn't copy your session codes and just use your account from somewhere else?

You don't. This is why you shouldn't let friends use your computer (among other reasons).

There are some techniques that can be done to verify the session came from the specific computer. But they tend to be either insecure (like verifying user agents) or fragile (like verifying IP addresses).

I read that sessions are more secure than cookies because cookies actually carry information like your username, password and other vital info. But if a session code can provide access to your whole account anyway, isn't a session just as insecure?

Sessions are no more secure than cookies, because the session uses a cookie for identification. Sure, the specific data doesn't leave the server (so it doesn't leak), but the attacker can resume the session.

Are there any other factors at play that I don't know about or are sessions really this insecure?

The key here is who are you trying to protect against. Specifically, what threat model:

  • A friend, who you give admin access to your computer (let them borrow with a privileged account)

    You can't reliably protect against that. If your users let others borrow their computer, you, as a website operator, can't help that unless you don't use a session at all and require users to authenticate every action.

    Simply don't do it, or give them a clean guest account. Or better yet, use a chromebook, and let them sign in with their own account.

  • An attacker getting code onto the computer

    You can't help that.

  • Someone snooping the network traffic (read-only) like a network packet sniffer.

    Use TLS (HTTPS)

  • Someone man-in-the-middle attacking the network traffic (read/write)

    Use TLS (HTTPS)

  • Someone attacking the server

    Secure your server!!!

In general, to figure out how to secure something, you need to consider the vector the attack is going to come from. Some attacks you simply can't defend against. And some, you just need to educate the user about.

Upvotes: 5

Thomas Orozco
Thomas Orozco

Reputation: 55197

Session IDs are stored in cookies, so their security is the same as that of cookies.

Cookies are handled by your browser, which takes care of protecting them to the extent that it's possible.

No website can "ask your browser for a cookie" (and that is not what Facebook does). Instead, when accessing facebook.com, your browser sends along your facebook.com cookies, but not your google.com cookies.

Of course, "writing a simple program to find this code" would be easy, but distributing it wouldn't be that easy (i.e. you're talking about distributing malware), and it's definitely not what Facebook does to get access to the relevant session cookies.

There are several additional ways to protect cookies from unauthorized access (to a certain extent). One of them is to make them "HTTP-only", so that they aren't accessible in Javascript (they'll still be sent to Facebook's servers, but the browser won't expose them to anything else).

Note that cookies are indeed as secure as the browser itself. If your browser is "compromised" (by your geeky friend), then so are your cookies, and so is your session.

Upvotes: 2

Related Questions