How do I destroy an http-only cookie while a server is offline? - McMap

About

How do I destroy an http-only cookie while a server is offline?

Asked 7/7, 2015 at 1:55 Answered 7/7, 2015 at 2:11

Solved javascript rest security httpcookie

K

1

9

I have a web application that talks to a web-server via REST, this web application could be running on a public computer and enables multiple users to logon and logout in a given time period.

All cookies are HTTP-only, this is simply an additional security measure to cover cases of successful XSS attacks. This means that a REST call must be made to force a logout.

My concern is that when the web-server goes down for any reason (or becomes inaccessible eg a network cable being disconnected somewhere). When the user hits logout, there is actually no way of removing the cookie. Meaning that the user may walk away from the PC, meanwhile another user could come along when the connection is restored or server comes back, and just continue using the previous users account.

What is the typical way of dealing with this use case? (admittedly not particularly common).

Kunming answered 7/7, 2015 at 1:55 Comment(2)

On a public computer, users should at least be using a private browser tab/window … But working under the assumption that they can’t all be knowledgeable enough to apply at least such basic measures, I would check the success of the logout request, and alert them to the fact that it did not work. – Weldon 7/7, 2015 at 2:8

Also, reducing the session lifetime might help prevent the worst. If you want to “ping” the server in an interval to keep the session alive so as not to inconvenience regular users that might linger on a page with lots of content longer, then that should be stopped when logout fails. (If it fails because there is no connection, then it wouldn’t matter that much, but there might be other reasons maybe.) You could offer reduced session lifetime as an optional feature as well, lets say by having a “I am logging in from a public computer” checkbox in the login form … – Weldon 7/7, 2015 at 2:13

M

11

If I were tasked with something like this, and downtime was a given, I'd probably do something like adding a second cookie, modifiable through JS (let's call it cookiever), which would contain some value that is used as a part of the HMAC signature on the http cookie, ie (pseudocode):

cookiever ||= random
cookie_signature = hex_hmac_sha256(cookie_data + cookiever, "signing_secret")
httponlycookie = urlsafe_base64(cookie_data) + "|" + cookie_signature
set_cookie("httponly", httponlycookie, httponly=True)
set_cookie("cookievew", cookiever)

Normally, cookiever would be set by the server along with the httponly cookie, and is used to validate the cookie on each request. If the user were to request a logout, then you would use Javascript to write an empty value to cookiever, destroying the signing information in the cookie. Thus, even if the httponly cookie can't be destroyed, the cookiever cookie would, and on the next successful request, the httpcookie would fail to validate its HMAC signature, and your server would discard it and force the user to start a new session.

Melburn answered 7/7, 2015 at 2:11 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.