PDA

View Full Version : Unchangeable (final) cookies



talha06
13 Mar 2015, 1:09 AM
Hi everyone,

Are there any ways to make cookies unchangeable - like final variables in programming languages in order to improve security?

p.s. I use Ext.state.CookieProvider.

skirtle
13 Mar 2015, 5:41 AM
Unchangeable by whom?

talha06
13 Mar 2015, 6:18 AM
Unchangeable by whom?
by any client-side hacker?

skirtle
13 Mar 2015, 7:17 AM
That's still quite vague. e.g. There's a big difference between 1. a malicious user, 2. an injected script, 3. a hacker who has full access to the user's file-system.

I'm going to assume you're talking about compromised/malicious websites.

The standard restrictions on cookie access will ensure that only your site can change its cookies.

If your site is compromised, e.g. by an injected script, then there's not a lot you can do. Your code and the injected code will appear equivalent to the browser. The HTTP-only flag is designed to protect (to some extent) against this kind of problem but it can't apply to cookies you set in JavaScript.

In short, I don't think such a feature exists.

How cookies work isn't really an ExtJS question. You'll find no shortage of resources on the web that describe the details of what is and isn't possible.

talha06
13 Mar 2015, 6:00 PM
I mean we sometimes store data in the cookies and all I want is that making them unchangeable at least easily through 3rd party extensions/softwares. Otherwise it does not make sense to store data in cookies.

It can be done by visiting the website itself or a script crawls. Does not matter.

Of course I am well aware of how cookies work is not related with ExtJS directly but some actions can be applied too. I created my own solution in order to prevent attacker to set/clear cookies through the cookies provider - i.e. Ext.state.CookieProvider. But not an explicit solution at all.

skirtle
13 Mar 2015, 6:37 PM
I mean we sometimes store data in the cookies and all I want is that making them unchangeable at least easily through 3rd party extensions/softwares. Otherwise it does not make sense to store data in cookies.

Don't store any sensitive information in cookies. A session id stored in an HTTP-only cookie, set to expire when the browser closes, is as far as I'd push it.

Any cookies you set will be sent as headers on every HTTP request. That's bloat before you even start. Then there's expiry to consider. If you keep the cookies around on a shared computer they'll be shared between users. Once you think through all the ramifications it quickly gets difficult to find any use cases for storing data in cookies.


It can be done by visiting the website itself or a script crawls. Does not matter.

I'm unclear what you're referring to here.


Of course I am well aware of how cookies work is not related with ExtJS directly but some actions can be applied too. I created my own solution in order to prevent attacker to set/clear cookies through the cookies provider - i.e. Ext.state.CookieProvider. But not an explicit solution at all.

Perhaps I've misunderstood what you're describing but why would an attacker access the cookies through CookieProvider rather than going directly to document.cookie? You seem to be fixing the wrong problem.

talha06
13 Mar 2015, 6:50 PM
Perhaps I've misunderstood what you're describing but why would an attacker access the cookies through CookieProvider rather than going directly to document.cookie? You seem to be fixing the wrong problem.

If there is a workaround to prevent any modifications on document.cookie please share with me. Nothing wrong with taking actions against Cookie Providers. Web crawlers commonly use JS library detection technique to attack using the library functions. An automated crawler script can easily modify cookies through the provided functions. My approach prevents such attacks at least.

skirtle
14 Mar 2015, 12:31 PM
Nothing wrong with taking actions against Cookie Providers.

I disagree. If you've identified a specific bug or a security flaw in the implementation of Ext.state.CookieProvider then fair enough, but that doesn't seem to be what you're claiming. From what you've said it appears that you don't have a clear idea of the threats, so you've resorted to 'security by obscurity'.


Web crawlers commonly use JS library detection technique to attack using the library functions. An automated crawler script can easily modify cookies through the provided functions.

I don't understand what type of attack you're describing here. How does a crawler modifying cookies leave users vulnerable to attack? Can you give an example? Does this type of attack have a name? Could you point me to a resource outlining the problem, e.g. on OWASP?

talha06
14 Mar 2015, 12:43 PM
For example; a XSS attacker can aim to change the cookies provided by website. These cookies may contain some information (statistical/personnel information or a user preference) about user. This means that you must not store any data that is processed at server in cookies.


From what you've said it appears that you don't have a clear idea of the threats, so you've resorted to 'security by obscurity'.

No comment. Nothing to say more.