3

I have implemented stateless session cookie, something along the lines of this article:

Demystifying Web Authentication (Stateless Session Cookies)

The cookie contain an expiry time within the hashed value, and also the cookie is set with a session timeout in the browser. When the user logs out, the cookie is deleted. However, someone noted that an attacker can steal the cookie and essentially use it within the specified expiry time in the cookie even though the user has logged out. Is there a solution to this problem (beside ditching stateless session cookie and using standard server/framework session management)?

Community
  • 1
V1400
  • 39
  • 1
  • 2
  • 3
    While it seems to be a new fad to create stateless sessions, "stateless session" is an oxymoron. If you have a session, by definition, you have state of that session. If you are stateless, you cannot maintain a session because you have nowhere to maintain the state of that session. – atk Oct 27 '14 at 20:21

2 Answers2

4

The whole point of having a "stateless" thing is to avoid maintaining state (here, on the server side). Stateless servers are unavoidably subject to replay attacks, by definition. The problem you are envisioning is basically a replay attack.

If attackers can steal clients' cookies, then you already have bigger issues. If they cannot, then there is no problem. Use SSL.

(SSL is not the ultimate solution for everything, but it helps avoiding cookie-stealing, at least as long as the cookie is marked as secure and HTTP only.)

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
2

No, there really isn't. In order for this work, you need to have some form of session management in place to determine whether the token in a cookie is valid or not. They may mean maintaining a list of valid sessions as in traditional session management, or explicitly blacklisting tokens that have expired for some period of time. (Less overhead on the application, but significantly harder to do correctly.)

Ultimately, this is a generally low risk threat, an in my opinion, generally not worth mitigating. It's completely counter to the request-response model of the web, and you can protect against token theft adequately well by simply using TLS and HTTPS.

Xander
  • 35,525
  • 27
  • 113
  • 141