1. 7

  2. 3

    Why would you store an admin flag, or any other sensitive information in a cookie? Keep the session details on a server and reference them via a session id that’s stored in the cookie. An attacker would now need to guess, an existing, unexpired admin session id (impossible if correctly implemented) to break in. No need to encrypt the cookie because it doesn’t contain anything that’s easily manipulated.

    Note: An attacker could also steal a session cookie from an admin, but you’ve got bigger problems if this is possible. Also note there are ways to harden against this.

    1. 4

      It’s (vastly) simpler and equally secure to store MAC-signed data client-side, provided you use a strong key and don’t leak it.

      1. 2

        I have the same thoughts, but apparently every framework in existence does things differently. You must not be web scale.

        1. 2

          I’ve never heard of a session id that wasn’t just a randomly generated key into a cache. I’m now appropriately appalled. Yikes…

          1. 1

            Umm, Django uses random session IDs which refer to a server-side store (unless you configure cookie-based sessions, so don’t). Node.js ‘express-session’ ditto.

            Client-side-sessions used to be a performance thing back when looking up a session was a database operation on the backend and you were running a farm of stateless application layer servers with no shared cache and your load balancer didn’t support sticky sessions and the whole page reloaded every time someone clicked a button. But these days … um, I don’t see the point either.

        2. 3

          This post also touches on the idea of red/black material, and how they should be managed. When you have some secret which must be maintained, you can think about it being “black” when it’s encrypted (symmetrically, as you presumably want to access the plaintext in the future), and “red” when it’s decrypted. In designing the system, you want to keep the black and red materials as separate as possible, and have clear procedures and controls for all red material. If you’re using the environment variable, the secret must be provided in a red (plaintext) form, and you presumably have some procedure in place to ensure that red material is protected.