5

What security benefits would randomizing cookie names on a website offer? What are some of the challenges it would create?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Moshe
  • 1,721
  • 3
  • 16
  • 22

3 Answers3

9

I don't think you gain a lot since they'd still be associated with the site, or some sub-domain of it.

As for the downsides, you'd have to have some lookup to figure out what the name for a particular cookie is so you can know where the data you stored previously can be found.

I think you're better off not worrying about it, and instead make sure you only store some unique identifier so you can tell who it is, provide adequate security to keep others out of their account, and store all other user-related data internally in your own back-end database.

Greg
  • 254
  • 2
  • 4
  • The session name may reveal the type of server. For example, `connect.sid` reveals the Express framework on a Node.js server. That knowledge could help malicious users to focus their effort. – Chris Jun 11 '19 at 13:49
4

The only upside to randomizing cookie names, is if you have reason to believe a given cookie might be overridden by different cookies with the same name.
For example, multiple instances of the same app on a single webserver. Or, shared hosting - you never know what someone else will put in...

But then, there are better solutions - such as scoping the cookie to the specific path... Everything else is just security by obscurity.

And the downside, is as @Greg pointed out.

AviD
  • 72,138
  • 22
  • 136
  • 218
1

I could envision how randomizing cookie names could prevent Related Domain Cookie attacks

What cookie attacks are possible between computers in related DNS domains (*.example.com)?

One possible solution is where the cookie name is a hashed value corresponding to the user name, etc and acts as a MAC against this type of attack. In other words, cookie names with an invalid name/hash would be discarded

Example

normalcookieName_SomeHashedValueBasedOnSessionID
makerofthings7
  • 50,090
  • 54
  • 250
  • 536