[TYPO3-mvc] encrypd cookies in TYPO3

Chris Wolff - AERTiCKET AG cwolff at aer.de
Tue Dec 23 11:40:22 CET 2014 

Hi Helmut,

> Cookies do not necessarily have something to do with session handling.
Okay not necessarily but in 95% of the time they store session relevant information.
And in the other 5% the are uses as a "poor-mans localStorage" as in my listView Example.

>> Cookie encryption makes only sense to "protect" you against manipulation of cookie data.
> Which makes sense, doesn't it? Don't know why you put protect in quotes.
> This might even make sense for a session ID because the application can validate if it was the issuer of the cookie, in case you want to avoid session fixation.

I put protect in quotes "Protect" because in think its generally a bad idea to Handout data to the client you want to protect.
I Disagree on the Session id. A session id is pseudo-random value. Which should by definition not guessable. If I encrypt this value. Do not get a benefit from that.
My server only has to do encryption / decryption to look up the session id.
Encryption does not add a security value, until you add some extra data like the iP address Or user agent string. But if you add this You have implemented a session fixation Method!


> As a bonus, nobody could even read the content of a cookie.
If your user should not read the data why give the data to the user in the first place?

Regards chris


-----Ursprüngliche Nachricht-----
Von: typo3-project-typo3v4mvc-bounces at lists.typo3.org [mailto:typo3-project-typo3v4mvc-bounces at lists.typo3.org] Im Auftrag von Helmut Hummel
Gesendet: Dienstag, 23. Dezember 2014 00:31
An: typo3-project-typo3v4mvc at lists.typo3.org
Betreff: Re: [TYPO3-mvc] encrypd cookies in TYPO3

Hi Chris,

Am 22.12.14 um 10:33 schrieb Chris Wolff - AERTiCKET AG:

> If cookie encryption makes sense depends on your session Handling Strategie.

Cookies do not necessarily have something to do with session handling.

> Cookie encryption makes only sense to "protect" you against manipulation of cookie data.

Which makes sense, doesn't it? Don't know why you put protect in quotes.
This might even make sense for a session ID because the application can validate if it was the issuer of the cookie, in case you want to avoid session fixation.

As a bonus, nobody could even read the content of a cookie.

> It does NOT protect you from cookie stealing an cookie Reuse.

Sure. Thanks for pointing that out.

Kind regards,
Helmut

--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 CMS Active Contributor, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org
_______________________________________________
TYPO3-project-typo3v4mvc mailing list
TYPO3-project-typo3v4mvc at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-project-typo3v4mvc

More information about the TYPO3-project-typo3v4mvc mailing list