New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CookieSessionHandler proposal #22312
Comments
From a security perspective, this looks like a terrible, terrible idea, or did I miss something here? |
@iltar Please describe your worrisome thoughts |
See also https://softwareengineering.stackexchange.com/questions/146692/why-do-popular-websites-store-very-complicated-session-related-data-in-cookies why this may work. Cookies are cheap, basically. also consider encryption and data chunking. |
In Symfony the cookie can contain objects (Security, Flashes), which are serialized. Storing php serialized objects on the client-side makes it possible for the client to modify these values and therefor introduce a remote scripting attack! Unless you use a secure storage format (JSON for example) and make absolutely sure not never store an serialized object it can be safe. No, encryption is possible but unless you use a secure (not mcrypt) system this can still be compromised. |
seems like a good case for libsodium then. Note that the NelmioSecurityBundle does offer cooking signing. It did offer encryption, but is deprecating it due to mcrypt being not so good. |
Throwing more information on the heap: http://bigornot.blogspot.com/2008/06/securing-cookies-php-implementation.html Generally people like using cookies for this since you can have stateless authentication without hitting the database. I don't generally think it's a good idea, but wanted to offer bigornot's blog post into the discussion. |
You know a blog post is old when they recommend
Libsodium is the only secure standard (for now), you can also use https://github.com/paragonie/halite/blob/master/src/Cookie.php (GPL licensed, commercial licenses available) for a complete Libsodium usage implementation. |
I'm closing here as this doesn't need to be in core. A third party library could provide it. |
What do you think about new session handler which stores session data in cookies?
For example, this one already implemented in Laravel.
Also RoR and Django provide it.
Do we need it or not?
The text was updated successfully, but these errors were encountered: