[question] What are the consequences of setting empty "encryption key"?

Question

[question] What are the consequences of setting empty "encryption key"?

karelbilek opened this issue 4 years ago · 6 comments

Describe the problem you're having

I am using gorilla.Sessions, and I do not fully understand the documentation to NewCookieStore.

The first key in a pair is used for authentication and the second for encryption. The encryption key can be set to nil or omitted in the last pair, but the authentication key is required in all pairs.

It is recommended to use an authentication key with 32 or 64 bytes. The encryption key, if set, must be either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256 modes.

What exactly happen on empty encryption key? The cookie won't be encrypted at all, so the end users might be able to read the data? Or is the encryption key auto-generated somehow?

This is both a question and a request for better documentation :)

Answer 1 · 2020-09-01T01:47:46.000Z

If you omit the encryption key, cookies are only authenticated - that is, they cannot be tampered with by the client.

Cookie values are otherwise sent in plaintext, and I would generally advise using TLS (HTTPS) to protect cookies in transit, as a stolen cookie is a real risk. Storing sensitive values in the cookie itself is not recommended in general.

Noted on the docs :)

Answer 2 · 2020-09-01T10:50:26.000Z

Cookie values are otherwise sent in plaintext, and I would generally advise using TLS (HTTPS) to protect cookies in transit, as a stolen cookie is a real risk. Storing sensitive values in the cookie itself is not recommended in general.

If the server uses TLS, authetication doesn't really matter that much anyway though, right. Since TLS is doing the auth already, so we don't really need second auth.

Answer 3 · 2020-09-01T12:55:16.000Z

Not true - you still want to authenticate the cookie so that the client themselves can’t forge or otherwise edit the cookie in an attempt to masquerade as an admin or another user. If you store the user ID in the cookie, for example - a common approach - you do not want the user to be able to modify it. That they can see the value in plaintext isn’t an issue.

Answer 4 · 2020-09-09T22:31:33.000Z

I think Karelbilek has a point in the case of using any other than the cookie store implementations. As long as your cookie is big and random the attacker will not be able to guess the cookie of another user. The whole idea of a persistent storage is to use this random value as a lookup key. Since the session manager is the only one with access to the store no one else is able to magically create a session. The chance of an attacker being able to guess an active session are as big as the odds of an attacker being able to generate a correct signature without knowing the private key.

Answer 5 · 2020-09-10T17:01:53.000Z

It's not clear what the ask is here? Remove cookie authentication? Not going to happen.

Many users of this package may put state in the cookie that would be at risk of being manipulated
Detecting tampering is useful
Not all applications or users of this package use TLS - unfortunate, but true.
a layer of protection against store implementations with predictable IDs

Since the HMAC validation extremely minimal w.r.t CPU load, the risk vs. benefit here is unclear.

Answer 6 · 2020-09-11T05:22:05.000Z

I only asked for better explanation in documentation. Because the drawbacks are not immediately clear. Not sure why it was closed. :) but the question was answered here so ok

…

On Fri, 11 Sep 2020 at 00:02, Matt Silverlock ***@***.***> wrote: Closed #225 <#225>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#225 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAZT4NMGHYXUYUAHIGATUDSFEBBPANCNFSM4QO2WIUA> .