3

If someone has access to my computer , can they easily get my session id by going to the browsers developer tools and taking a photo of the session id with a phone, if the session id is passed in a cookie. eg. in a java web app , the jsessionid is usually passed as a cookie ( sometimes even in the url ) They can then add that key-value pair to the websites document cookie when they want it. ( assuming the session is not expired yet) Am I missing something, is it so easy.

If yes , why do browsers not employ not kind of security mechanisms so that an attacker with physical access to the computer, is not able to grab session id, or other important cookies through their developer tools. You can't just get someone's password,even with access to the computer. Chrome for example requires you to provide computer's authentication credentials before you can view saved passwords. Why is is similar authentication not required for cookeies given that cookies can many times contain temporary password (eg. a session id )

Rpant
  • 131
  • 4
  • 4
    Fwiw, Firefox doesn't requires anything before showing you saved password. Rule of thumb, if a malicious party has access to your computer, consider it and everything on it compromised. – Justin May 22 '19 at 17:50
  • 2
    "Chrome for example requires you to provide computer's authentication credentials before you can view saved passwords" - well not if you go the easy way and let Chrome fill them in on the target site, to display them using the developer tools. – Martin Fürholz May 22 '19 at 18:24
  • Thats right , I understand user's security is basically compromised if someone else is on your computer , but my question is directed more towards understanding security/restrictions when a server uses a session id as token to identify authenticated user. Another way to put my question would be : Can someone peeping over my shoulder take a picture of my computer screen and use the session id if its present in my website's url. ( session id in older websites is appended at the end of url ) – Rpant May 22 '19 at 19:04
  • @Rpant most website send cookies not in url but in POST request.So no someone peeping over cant see your cookies or session token.If a website send session tokens in a url then yes.Although i personally have never seen such a website. – yeah_well May 22 '19 at 19:07
  • Cookies are just one way to track users history/session/anything of a returning user. Some web stacks ( especially java-based ) , append session id at the end of every url (hrefs) in a dynamically generated page, usually as a fall back mechanism. This is done to track users authentication when cookies are disabled on his browser. This is how a lot of java based app servers know that the user has been authenticated , when he is not sending cookies on subsequent requests after authentication. – Rpant May 22 '19 at 19:14
  • I havent seen a website like that.But if there is then yes peeping would work as long as the session token appended to a url does correspond to a session and the web application doesnt use another token along with it – yeah_well May 22 '19 at 19:19
  • I just visited your profile and noticed you have answered a similar question , where you acknowledged the presence of session ids in urls , but commented that its not a good practice. https://security.stackexchange.com/questions/209526/is-session-id-in-url-itself-for-all-the-requests-an-issue/209530#209530 – Rpant May 22 '19 at 19:27
  • I checked icicibank , which is one of the largest banks in India. They append sessionids at the end of url , eg my url after login was https://infinity.icicibank.com/corp/AuthenticationController;jsessionid=000iBX2_mDo:Ruiu?bwram=8BpIq%2FRXPiIkbKkkPC9yAw8U%2FjSbdflrig%3D , however I can't even use the same url in a different tab. – Rpant May 22 '19 at 19:32
  • Yes like i answered there its a bad idea to send session tokens in url as it gets stored in logs.As far as the icci bank,i cant comment anything on that. – yeah_well May 22 '19 at 20:27
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/94004/discussion-between-vipul-nair-and-rpant). – yeah_well May 23 '19 at 11:08

1 Answers1

2

I am going to answer this to my best of abilities.But feel free to tell me if i miss something or to add anything

If someone has access to my computer , can they easily get my session id by going to the browsers developer tools and taking a photo of the session id with a phone, if the session id is passed in a cookie. eg. in a java web app , the jsessionid is usually passed as a cookie ( sometimes even in the url ) They can then add that key-value pair to the websites document cookie when they want it. ( assuming the session is not expired yet) Am I missing something, is it so easy.

Absolutely they can simply go to console and write document.cookie to get saved cookie from any website and as long as those cookies correspond to a valid session.They can simply send those session identifiers in their browser request and hijack your session.

NOT JUST THAT

If an attacker has physical access they can also run a simple script to decrypt all the saved password on your google chrome browser.

If yes , why do browsers not employ not kind of security mechanisms so that an attacker with physical access to the computer, is not able to grab session id, or other important cookies through their developer tools. You can't just get someone's password,even with access to the computer. Chrome for example requires you to provide computer's authentication credentials before you can view saved passwords. Why is is similar authentication not required for cookies given that cookies can many times contain temporary password (e.g. a session id )

Well for one its not possible.There are more ways to grab the cookies anyway.If you lockup developer tool you can simply intercept the request with a proxy and then grab the cookies from there.It is just not possible to hide it in a way that it even becomes hard for an attacker.

At last the thumb rule is

IF AN ATTACKER HAS PHYSICAL ACCESS TO YOUR SYSTEM,IT IS NOT YOUR SYSTEM ANYMORE.

also here is what google had to say about this

Chrome security tech lead, has responded to internet chatter on the topic, saying that once past the OS login stage, someone can theoretically find your passwords and all manner of other browser info out anyway, using various underhand means

yeah_well
  • 3,699
  • 1
  • 13
  • 30