So I'm implementing integration with API that uses OAuth 2, which state: Recommend to use httpOnly Cookies to store the tokens (access, refresh).
I've used sessions for long time and I was not sure if there is any difference between using httponly cookie or session
Any pros vs cons?
HttpOnly cookies serve same security as session cookies
Except the extra work involved with session cookies (storing and clearing data)
Oauth 2 recommends the usage of HttpOnly cookies, but I wasn't sure why!
Thanks in advance
Cookies and Sessions are used to store information. Cookies are only stored on the client-side machine, while sessions get stored on the client as well as a server. A session creates a file in a temporary directory on the server where registered session variables and their values are stored.
So...
The main difference between a session and a cookie is that session data is stored on the server, whereas cookies store data in the visitor's browser. Sessions are more secure than cookies as it is stored in server. Cookie can be turned off from browser.
Related
I have a need to preserve session id after login. My session id cookie is marked as HttpOnly. Is such setup absolutely secure? Is there any possibility for an attacker to to perform session fixation attack if my session cookie is HttpOnly?
TLDR: Yes, in PHP and Firefox it is possible to add a second session cookie which, due to the order in the header, is preferred over the original one.
Also Yes, if there is other functionality which allows to set session IDs on the server. This depends on the application specific functionality.
Full explanation
Depends on what other functionality you have on your website to manipulate sessions. In some rare occasions, the application allows a user to set a session via a HTTP request. For example, via a GET parameter.
I believe you want to know if it is possible to fixate a session ID if the original session ID is set in a cookie with the HttpOnly flag. Therefore, I did a small test on a PHP application I was conducting a pentest on. Surprisingly, you can set a new PHPSESSID via a JavaScript injected as XSS. If there already was an existing PHPSESSID cookie with the HttpOnly flag, it simply puts this one next to the other one. In my case, in Firefox, it sent the following Cookies to the server after my attempt to set PHPSESSID via document.cookie = "PHPSESSID=FIXATEDSESSIONID":
Cookie: PHPSESSID=FIXATEDSESSIONID; __utma=139474299.465096418.1547461023.1548839033.1548851774.5; __utmz=139474299.1547461023.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); acceptCookies=true;
So there are now two session IDs in the request. In my setup, with PHP 5.6.25, the server takes the first cookie to bind a session. So in the case with Firefox and PHP 5.6.25, I was able to fixate my session ID (FIXATEDSESSIONID) via a JavaScript. The original session ID is still in the request but it is ignored by the server. Note that FIXATEDSESSIONID is literally the session ID I injected. So it was not necessary to get a legitimate session ID from the PHP server.
It's better to have session cookie as HttpOnly, because it obviously makes session more secure.
The right way to avoid session fixation vulnerability is to make new session for user on authentication.
Check OWASP article about session fixation. It has information about techniques to execute this kind of attack.
I have disabled cookies for my website and get TokenMismatchException. Since I am using sessions file driver and in my form I have {{ csrf_field() }} why do I get TokenMismatchException when I disable cookies for my website ?
If I inspect the call that was made I can see that the token was sent in post : token J0Y0t2hj3jjVFMdGCch0apliPqlz1lZlwUc0VqCk
why do I get TokenMismatchException when I disable cookies for my website?
Because the CSRF token value in the form needs to be compared to (the) one stored in the session.
If your session is not working without cookies, then of course this will fail.
So decide whether you want to demand cookies for your app to work, or if you want to use less secure ways of transporting the session id (GET/POST – how to configure that within your framework, should be in its documentation.)
check your config file(config/session.php) and see if your session driver is cookie. If yes, then change that to something else.
here is the notes: Laravel's HTTP Session
file - sessions are stored in storage/framework/sessions.
cookie - sessions are stored in secure, encrypted cookies.
database - sessions are stored in a relational database.
memcached / redis - sessions are stored in one of these fast, cache based stores.
array - sessions are stored in a PHP array and will not be persisted.
Which is the difference between sessions and cookies. I know that sessions are server side, and managed by the server, and the cookies are client side and managed by the browser.
I don't know why, but I see those things as rendundant. Which data have to be keept in a session variable and which on cookies?
Session is implemented with cookies. You would normally save in a cookie things like the user id, or some identifier that will allow you to know who the user is, and use that information as a key for your session variable on the server side.
Most importantly, you wouldn't want any secret information being stored on the client side, since cookies can easily be stolen (from a security point of view).
Don't forget that HTTP is stateless, so cookies are just a way to bypass this.
In short, cookies are more persistent than sessions. As soon as you close your browser, the session information is gone. Therefore a session has no way to store information about a website/user pair. Cookies do, and are used for things like allowing you to stay logged in to a website, or storing preferences for that website (e.g. language).
The main difference between cookies and sessions is that cookies are stored in the user's browser, and sessions are not. This difference determines what each is best used for.
see http://php.about.com/od/learnphp/qt/session_cookie.htm
Cookies are for small data. They can only hold strings.
In session variables you're able to store objects in the server memory.
How does one implement maintaining sessions securely. Suppose just the login page uses SSL. So the user enters his usernamepassword and the http server verifies it is in the database and now what?
Does it set some cookie? If so then what should the cookie be set to so that security is maintained (encrypted, what kind of encryption)? Looking for a low level detailed answer. I hear there are various cookie hijacking concerns. If I only use SSL for the login but thereafter don't use SSL will the cookie be vulnerable?
Then after the browser is closed and the user comes back how does the cookie identify the username. How is this done securely without the cookie being stolen?
You definitely expose your clients to session theft if your connection is not encrypted at all times.
HTTP is a stateless protocol, so the only way to fake a stateful interaction is for client and server to send a session identifier with every transaction. If this isn't protected, it can trivially be stolen. Since the session identifier is the only authentication token during the open session, this is catastrophic.
The usual way to make a "remember me" feature would be to set a cookie whose lifetime is not limited to the browser's program lifetime (i.e. by setting an explicit expiration date), and storing some unique data in the cookie which you match against some remembering data (including the IP perhaps) in your database. But that does not absolve you from the need to encrypt all communication!
Should I be able to see per-session cookies, created by IE7 (on Vista) here:
C:\Users\myUsername\AppData\Local\Microsoft\Windows\Temporary Internet Files
That is where my standard cookies are stored.
Session cookies are stored in memory
Persistent Cookies vs. Session Cookies
Cookies are either stored in memory (session cookies) or placed on your hard disk (persistent cookies). Persistent cookies are written to the Cookies folder under either your user profile folder or the Windir\Cookies folder. The Temporary Internet Files index is updated with pointers to the actual cookies files.
First-Party and Third-Party Cookies
First-party cookies are cookies that are associated with the host domain. Third-party cookies are cookies from any other domain.