0

I am new to cookies. My understanding of encrypted cookies is that a server can store info. at client side without the client knowing about its contents. Now, let us say a server generates authentication information for a client in an encrypted cookie which the client stores at its end. Now, if an attacker sniffed the encrypted cookie and made a malicious request to the server presenting the encrypted cookie, wouldn't the server process the request as if coming from a genuine client?

What is the point of encryption when an attacker can use the same encrypted cookie?

  • @Esa Jokinen - Yes, I think so - From what I understand, an attacker can present the encrypted cookie and make genuine requests. The purpose of cookie encryption is more for server to securely store info at client side. – Abhishek Palakkal Kaliyath Jun 07 '20 at 11:51

1 Answers1

0

... and made a ... request to the server presenting the encrypted cookie

Without knowing particular server, we cannot really answer this question. But if we assume that the server does not use any other information (user IP, user location, user device data), then very probably the server will accept such cookie and believe that the attacker is the original user.

If an attacker get access to user cookies, encryption prevents sensitive information from disclosure. But this is arguable if this is a good practice or not. Users can clean up their cookies regularly (many browser extensions clean up cookies every 1-2 hours or every time browser is closed). So more reliable way may be to keep sensitive data in the user account on the server side.

Encryption of separate cookies does not prevent from manipulation on the user side. If user knows the meaning of the cookie, then he can replace some cookies with his own cookies from the earlier sessions (if they are not expired), or exchange cookies with friends, or in some cases steal cookies. In such cases encryption gives no advantages.

Some developers encrypt cookies to prevent their modification by users. But actually such approach is error prone. Backend should never accept client data as is and should always validate them. That's why the encryption for integrity purpose makes normally no sense.

You said "over HTTP". Encrypted cookies are no readable for anyone who reads HTTP traffic. But if web sites uses HTTP, then it is very probable that the information in cookies was earlier provided by the user in previous HTTP requests to server without any encryption. Thus it is very probable that the attacker knows this information already and encryption of cookies gives only a false feeling of more security.

The users who know what are cookies, may think something like "they are spying on me". Thus encryption of cookies may break the trust in the web site.

"What is the point of encryption ...?" In many cases there is no point, developers just have a false feeling that this may give more security.

mentallurg
  • 8,536
  • 4
  • 26
  • 41