Yes, the default session storage is in encrypted cookies because it is convenient and good enough for many use cases. The session code is extensible though and someone has already written a Redis backend.
I'm asking because encrypting cookies seems like a pointless exercise, and seemed that way when it was first announced, as well. If you don't encrypt your entire connection, encrypting your cookie seems pointless, no?
The clientsession package (which is what we use) both encrypts and applies a hash to the payload. Hashing prevents users from tampering with the data, and encrypting prevents inspection of the data. This means that you can even store sensitive data in a cookie without worrying if it's being compromised. (Not to say I recommend that practice, but it is possible.)
There is of course some performance overhead to encrypting, but Felipe's skein package has been highly optimized, and Yesod is still able to achieve ~50,000 req/sec on modest hardware. (Apologies for not having more accurate numbers, I haven't run our benchmark suite on EC2 in over a year.)
The content of the cookie isn't compromised, but you can trivially sidejack a cookie on an unencrypted connection and access the information through the website itself, in essence stripping any security. Arguably encrypting the cookie is a waste of processor time, but more importantly I think you may be giving people a false sense of security. The proper way to do secure interactions is via SSL, and I'm not sure encrypted cookies vs simply HMACed cookies gives you any true security advantage (as session storage or anything else).
Yes, that's precisely what I'm saying. So, let me put it differently: what security advantage does an encrypted session cookie confer? I see two possibilities:
- Someone who hijacks a request with the cookie in it cannot see the data in the cookie. But they can access the site as the user, so there is no real world benefit to this fact.
- Someone on the same computer cannot see the data in the cookie. But again, they have the cookie value, so they can access the site as the user, so there is again no real world benefit to the fact that they can't see the data in the cookie itself, because they can interact with the site and see the data there.
I guess I'm just looking for an example scenario where the cookie being encrypted offers a concrete benefit from a security standpoint.
I might be wrong here but I think it prevents against a user tampering their own cookie. Say I store User_Id:5 in a cookie and pass it over an ssl connection. The user can still change from User_Id:5 to User_Id:6 and get user 6's account info. Typically you would have to store a non guessable token instead to avoid this. I think by encrypting the cookie you provide the non-guessable part of the equation without having to think about it. This isn't really a benefit from a security standpoint (as in it doesn't provide more security), but it is convenient.
Could be wrong here, I'm not very familiar with Yesod.
i can think of only one case: that in which the site owners dont want the user (or sidejacker in case of a non-SSL connection) to see some data they wish to put in the cookie.
i'd cannot think of a web app i worked on where this was needed.
(the hashing is cool though -- tinker prevention is common to be a-good-thing)
Notably, this would only happen if you have data in the user's session that the user themselves cannot get to by using the site. I confess I can't think of any such session data, but I suppose it could exist.
And yes, some sort of HMAC is pretty much mandatory if you're going to do client-side session storage securely, no question.
Encrypting and authenticating cookies allows the web app server (or server farm) to store some session state in the browser rather than hit the database for every little thing. This can have a huge positive effect on scalability.
I'm aware of the benefits of using cookies for session state, just not sure encryption itself offers serious benefits without encrypting the entire browser session via SSL. And it may offer disadvantages from an understanding standpoint, where people think the encrypted cookie provides more security than it actually does.
If properly encrypted with an authenticated encryption mechanism then the server can be sure that the data has not been modified and has not been read. This would allow private data to be stored. As long as the server is the only one that knows the key, then only the server can read it. An evesdropper can still use the cookies for replay attacks, but at that point they're on the connection already.
It's useful for things like storing the current user session. You wouldn't want someone to be able to log in and then change their account to someone else's by modifying the user id in their cookie. Thus this information is often stored in a server-side session. With an encrypted cookie you can push this data to the client, which makes the server stateless with respect to client sessions.
(1) Modification-prevention (the changing your account to someone else's by modifying the user id situation) is provided by the HMAC, not encryption. This is why Rails session cookies are not encrypted (as far as I know), for example.
(2) If someone has your cookie, they're either already on your connection or they're on your computer.
(3) The only situation where this provides any security is one in which you store data in the cookie that would not be accessible to the same user through the site. I can't think of any such data in any of my experience, but I will absolutely grant that such data may exist.
> If properly encrypted with an authenticated encryption mechanism
(2) Being on one's connection is the default assumption of the internet security model.
(3) Right, the confidentiality of the site's data from the site's user may not be critical. But if done properly it does allow the site to ensure that the data it stored has not been tampered with (except perhaps to drop it or replay it). Surely this can be useful.
