Is converting cookie auth session to token safe?

Question

I want to create a http service handler which converts an existing auth session cookie into a token (i.e., JSON Web Token). Should I be concerned with XSS or any other vulnerability, or am I simply covered by modern browsers disabling CORS by default?

Answer 1

If I understand you correctly your service handler only takes the session cookie value as input and then outputs it as JSON?

In that case, as long as you use a standard, tried and tested JSON encoder then you will be safe against XSS. CSRF should not be an issue as your method is a safe method and the Same Origin Policy will prevent your cookie being read by another domain as you are not opting into CORS.

Answer 2

that is hard to tell without more info on the use case: it depends on what information will be included in the JSON web token, to what clients it will be sent (e.g. in different domains and/or controlled by different entities), how these clients will use it (e.g. over https or not), and what the clients use if for (e.g. would it act as the user or under a restricted set of permissions)

also note that standard OAuth 2.0 allows for this scenario already: you can leverage an existing web session (ie. in a code flow) to authenticate against the Authorization Server and send tokens down to OAuth 2.0 clients; a correct implementation of the OAuth 2.0 spec would warrant against the said vulnerabilities