Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why can't the Yesod session cookie be hijacked?

Tags:

The Yesod book says

The encryption prevents the user from inspecting the data, and the signature ensures that the session can be neither hijacked nor tampered with.

It's not clear to me why this is the case. If an eavesdropper gets hold of the cookie as it is sent from the server and uses it before the legitimate user makes another request, won't the session end up being hijacked?

It seems to me that the only way to really prevent session hijacking is to use SSL throughout. But if I do so then the signing and encryption done by Yesod ends up being unnecessary overhead (EDIT: overhead as far as preventing hijacking is concerned. As @sr_ points out in the comments, it is still useful otherwise).

like image 344
Jyotirmoy Bhattacharya Avatar asked Nov 14 '14 10:11

Jyotirmoy Bhattacharya


People also ask

Can session cookies be hijacked?

Cookie hijacking can occur when a malware program waits for a user to log in to the website. Then, the malware steals the session cookie and sends it to the attacker. A cookie attack is often initiated when an attacker sends a user a fake login.

Does SSL prevent session hijacking?

Here are a few ways you can reduce the risk of session hijacking: HTTPS: The use of HTTPS ensures that there is SSL/TLS encryption throughout the session traffic. Attackers will be unable to intercept the plaintext session ID, even if the victim's traffic was monitored.

How does an attacker steals the session ID from a cookie?

Session side jacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many websites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated.

How does session hijacking work?

The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user's connections.


1 Answers

That's a good catch. This used to be more accurate, when we would include the IP address of the client in the cookie to prevent hijacking. Combined with the anti-tampering protections, this made it basically impossible for a MITM attack to work unless you were NATed behind the same router or using the same proxy.

Unfortunately, we had to disable that protection due to concerns about proxies as well. It's possible for a single user's requests to come from multiple IP addresses due to intermediate proxy servers. I don't have data to tell how often this happens, but there was enough concern about this security feature causing breakage that we disabled it.

Thank you for bringing this up, I've corrected the book.

like image 86
Michael Snoyman Avatar answered Oct 31 '22 00:10

Michael Snoyman