Crack a single http cookie and gain access to a random user's account!

Question

I was looking for lots of information about cookies recently. What attracted me the most was the fact that cookies come in all forms and can be hijacked through arp poisining and spoofing on the local network or wirelessly.

I did not see one case that I would like to ask about.

Can a potential hacker literally crack and enumerate a random's user cookie and throw back the cracked cookie.

we assume that the website gets a lot of traffic and has many users signed in at the same time.

In case we want to be secure from this kind of attack we may log off the user after a certain period of time or globally use an https certificate but this isn't the main theme here.

Answer 1

Protecting against enumerating valid session cookies is easy: just make the search space too large for an attacker to have any hope of finding another valid value this century. For example, if the cookies are cryptographically secure [pseudo-]random 128-bit values, there could be a billion (~2^30) unique active sessions at once (that never expire) and you could have a botnet of a billion compromised IoT devices each sending a thousand requests a second (for a total of ~2^40 guesses/second), and it would still, on average, take you around 450 million years to find the first valid token. 128 bits isn't even that long, either; a mere 16 bytes of data.

This works even if the session tokens aren't just random blobs of data but contain some predictable information, so long as the unpredictable part has enough entropy. For example, a JSON Web Token (JWT) contains a chunk of plain-text data (base64-encoded, but that's trivial to decode and provides no security) and then a signature (either an asymmetric signature or a MAC). Let's assume it uses an HMAC with SHA-256 and a 256-bit key; the heat death of the universe would arrive long before you could have any hope to brute-force that key, even if you could set every computing device on the planet today to doing nothing but working on it.