ServiceStack Session ID in URL

Question

Good day, I am not that familiar with this topic so excuse me if it's not explained in the best way. I am using ServiceStack as my backend API and enabled "AllowSessionIdsInHttpParams = true". I am passing the ss-id via my url. I noticed that I can copy that ss-id and use in different clients (browser). Should the ss-id not be validated against the user agent / client and only be validate if the client is the same?

backend code

            //Configure Host
            SetConfig(new HostConfig
            {
                DebugMode = false,
                AllowSessionIdsInHttpParams = false,
                UseSecureCookies = true,
                UseSameSiteCookies = true, 
                AllowNonHttpOnlyCookies = true
            });

            // Plugins
            Plugins.Add(new CorsFeature(AppConfig.allowedOrigins, "GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD", "Content-Type, Authorization, Accept, X-ss-id", true));

frontend

     var instance = axios.create({
        baseURL: Vue.prototype.$AppConfig.URL_API,
        withCredentials: true,
 })

Settings Both backend and frontend is HTTPS. setting allowedOrigins is set instead of wildcard (*) which gave different issue if I used.

Error: 401 -

Answer 1

This is not a direct answer to the question, but relates to the question. This is the preferred and best solution to accomplish what I needed to accomplish in the technology stack I am using.

Servicestack backend Config:

//Configure option also Host UseSameSiteCookies = true
            SetConfig(new HostConfig
            {
                UseSecureCookies = true
            });

            Plugins.Add(new CorsFeature(AppConfig.allowedOrigins, // configured Origins
                "GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD", 
                "Content-Type, Authorization, Accept", 
                true)); // allowed Credentials

UseSecureCookies must be true, wildcard (*) origins did not work, allowed credentials must be true.

Axios FrontEnd (config instance for Axios)

 var instance = axios.create({
    baseURL: Vue.prototype.$AppConfig.URL_API,
    withCredentials: true,
})

Using the instance does help to eliminate bowlerplate code, withCredentials can also be set with interceptor, but this code for me is good.

Lastly and for the people like myself who is new to this, don't forget SSL (HTTPS). In IIS you can easily create self sighed certificate for intranet I am sure it's more then enough. You need SSL on both sides, your origins (frontend) and servicestack api (backend.)

Answer 2

Should the ss-id not be validated against the user agent / client

No, cookies are used to identify a session that given it's a unique id with high entropy is the least predictable identifier sent by HTTP clients. It's not much different to other bearer tokens such as a JWT Tokens or API Keys which authenticates the Bearer as-is, i.e. without additional user agent validation.

Validating against a User-agent would just be security theatre which is common, highly predictable & spoofable, i.e. if they're able to access your Cookie from HTTP Headers they also have access to all other HTTP Headers.

You could validate it against an IP Address but that would break sessions on a network change, e.g. whenever a device roams Wifi points which is why it's typically not done.

To best secure your cookies they should be only sent over SSL as Secure and HTTP Only Cookies (i.e. defaults in ServiceStack):

SetConfig(new HostConfig {
    UseSecureCookies = true,
    UseHttpOnlyCookies = true,
});

For additional protection against CSRF you can enable SameSite Cookies:

SetConfig(new HostConfig {
    UseSameSiteCookies = true,
});

Although as this can break cross-site functionality and 3rd Party OAuth providers like Twitter OAuth it's set to Lax by default.