Reputation: 830
Storing sessions in encrypted cookies
Is it a good idea to store sessions on a client side using encrypted cookies with an HMAC?
There is a problem: if somebody discovers a secret key, they could gain access to any user account. Could this problem be eliminated by attaching a part of user's password hash to a cookie? Then on the server side, you could compare this hash to the actual value.
Upvotes: 2
Views: 608
Answers (1)
Reputation: 7130
You don't want to use the password hash for anything other than verifying a user's credentials. Not sure if you were implying otherwise, but you definitely do not want to leak hashes (partial or otherwise) for no reason.
You are exactly right that encryption + HMAC can be broken if a malicious user discovers the key(s). That is why we must guard the keys with extreme care. It is all but impossible for a malicious user to be able to determine the key from a properly encrypted cypher.
To get your keys, they would have to compromise your server. If they can compromise your server, none of this really matters. All your proposal would do is to make them have to get two keys instead of just one. They have access to your encryption keys, so they likely have access to your database... so the hashes are already exposed. It's like adding a moat after someone is already in your castle.
In short, encryption + hmac is not broken. It is sufficient for protecting your cookie assume you have properly implemented it.
Upvotes: 2
Related Questions
- Security Concerns regarding session cookies
- Is cookie in https secure?
- How secure are sessions?
- SSL session persistence and secure cookies
- Cookie security when passed over SSL
- Secure session cookies in ASP.NET over HTTPS
- cookies session and security
- How to remember users with cookies in a secure way?
- Secure cookies in PHP sessions
- secure sessions/cookies in php