Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance Auth Session Cookie Security #2844

Open
4 tasks
BlairCurrey opened this issue Aug 6, 2024 · 0 comments
Open
4 tasks

Enhance Auth Session Cookie Security #2844

BlairCurrey opened this issue Aug 6, 2024 · 0 comments
Labels
pkg: auth Changes in the GNAP auth package. type: security Security related

Comments

@BlairCurrey
Copy link
Contributor

BlairCurrey commented Aug 6, 2024

Auth sessions were moved into Redis which took the session content out of the cookie that gets sent to the client (leaving just the identifier). In fixing some aspects of this, we found that we could beef up security measures in a few additional ways:

  • Use the secure flag in koa-session. May need to use ngrok/tunnelmole, etc. to validate it's working as intended from localhost. Note auth helm chart NODE_ENV is development. Might need to be updated if checking for production here or elsewhere with these settings.
  • Apply the appropriate SameSite attribute (if different than the current default). I don' think strict will work.
  • Ensure httpOnly cookies are set (should already be the case)
  • Prefix with __Secure- (or probably even better) __Host-. This depends on the secure flag and would require the same sort of local setup to test.

More info on these settings: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes

@BlairCurrey BlairCurrey added discussions: ideas Convert to an idea discussion type: security Security related pkg: auth Changes in the GNAP auth package. labels Aug 6, 2024
@BlairCurrey BlairCurrey removed the discussions: ideas Convert to an idea discussion label Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pkg: auth Changes in the GNAP auth package. type: security Security related
Projects
Status: Backlog
Development

No branches or pull requests

1 participant