Reputation: 2574
secure session management without cookies
Some months ago, I visited a security workshop and we discussed some securitiy problems when using cookies for session management. I was told, that cookies originally were not designed for handling sessions. But how should it be done then?
Upvotes: 3
Views: 3000
Answers (2)
Reputation: 33538
A secure way to do this would be to generate a cryptographically random 128 bit value (that is a random value generated by a CSPRNG), and then pass this as POST data to each page.
e.g.
<form method="post" action="/globalHandler">
<input type="hidden" name="sessionId" value="<sessiontoken>" />
<input type="hidden" name="page" value="accountDetails" />
</form>
The advantage is that the session identifier never needs to be transmitted in a cookie, mitigating SSL attacks such as POODLE or BREACH (the attacker has no way of injecting requests because they do not have the session identifier). This also inherently protects against CSRF attacks.
The disadvantage is that every page that is to be accessed whilst logged in will need to be accessible via the POST method only, where the suitable validation can take place on the sessionId parameter. Therefore it is best done to a website when it is first developed, rather than altering an existing website to fit this format.
Using POST data is more secure than GET, because with GET the details would be in the query string portion of the URL. e.g.
https://example.com?sessionId=1234...
Not only does this make the session identifier visible on the user's screen, but it can also be leaked by the referer header, and will also be logged by default in browser history, proxy and server logs. POST data is rarely logged by default.
Some banks use this method to ensure that there is only one active path made by the user during their session - the session identifier can easily be rotated so that if a user goes down a different route, their identifier does not match and they are logged out. This is useful from a security point of view when you have a multi-step process that must be followed in a set order. Some business logic vulnerabilities can otherwise arise when a user takes a different path than that of the developers' expectations.
Upvotes: 4
Reputation: 2131
Cookies are still the best way for session management. Just be aware of the limitations in cookies. For better results, use Secure Cookies that cannot be transmitted over http, only https. These are harder to accidentally leak, if, for example, there is a reference to an unsecured image on the page.
Upvotes: 1
Related Questions
- What is the difference between localStorage, sessionStorage, session and cookies?
- Are HTTP cookies port specific?
- Secure hash and salt for PHP passwords
- Why is it common to put CSRF prevention tokens in cookies?
- How do I expire a PHP session after 30 minutes?
- JWT vs cookies for token-based authentication
- Do sessions really violate RESTfulness?
- Cookie blocked/not saved in IFRAME in Internet Explorer
- How should I ethically approach user password storage for later plaintext retrieval?