Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance Auth Session Cookie Security #2844

Open
4 tasks
BlairCurrey opened this issue Aug 6, 2024 · 0 comments
Open
4 tasks

Enhance Auth Session Cookie Security #2844

BlairCurrey opened this issue Aug 6, 2024 · 0 comments
Labels
pkg: auth Changes in the GNAP auth package. type: security Security related

Comments

@BlairCurrey
Copy link
Contributor

BlairCurrey commented Aug 6, 2024
edited
Loading

Auth sessions were moved into Redis which took the session content out of the cookie that gets sent to the client (leaving just the identifier). In fixing some aspects of this, we found that we could beef up security measures in a few additional ways:

  • Use the secure flag in koa-session. May need to use ngrok/tunnelmole, etc. to validate it's working as intended from localhost. Note auth helm chart NODE_ENV is development. Might need to be updated if checking for production here or elsewhere with these settings.
  • Apply the appropriate SameSite attribute (if different than the current default). I don' think strict will work.
  • Ensure httpOnly cookies are set (should already be the case)
  • Prefix with __Secure- (or probably even better) __Host-. This depends on the secure flag and would require the same sort of local setup to test.

More info on these settings: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes
@BlairCurrey BlairCurrey added the discussions: ideas Convert to an idea discussion label Aug 6, 2024
@github-project-automation github-project-automation bot moved this to Backlog in Rafiki Aug 6, 2024
@BlairCurrey BlairCurrey added type: security Security related pkg: auth Changes in the GNAP auth package. labels Aug 6, 2024
@BlairCurrey BlairCurrey mentioned this issue Aug 6, 2024
Merged
5 tasks
@BlairCurrey BlairCurrey removed the discussions: ideas Convert to an idea discussion label Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pkg: auth Changes in the GNAP auth package. type: security Security related
Projects
Rafiki
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BlairCurrey