Should I be concerned if I am using the default cookie-based session
storage for a high security application? Nothing sensitive will be
stored on the cookie, but it's critical that one user cannot gain
access to another user's account. The security risks I see with
cookie-based storage are:
1. There is a single point of failure. If the secret key is stolen
(for example, by a rogue developer), the person in possession of the
key can log into any account he wishes.
2. It's not been as widely used as database-backed session, and
therefore not as tested.
3. The cryptographic algorithm could be compromised, which is always a
possibility (however unlikely.)
Should I be concerned if I am using the default cookie-based session
storage for a high security application? Nothing sensitive will be
stored on the cookie, but it's critical that one user cannot gain
access to another user's account. The security risks I see with
cookie-based storage are:
1. There is a single point of failure. If the secret key is stolen
(for example, by a rogue developer), the person in possession of the
key can log into any account he wishes.
2. It's not been as widely used as database-backed session, and
therefore not as tested.
given that it's been the default for well over a year I would question
that.
3. The cryptographic algorithm could be compromised, which is always a
possibility (however unlikely.)
While the risks in 1 and 3 do exist I don't think it's a game changer
compared to the other risks involved (people setting weak passwords,
the cryptographic algorithm securing your ssh or ssl sessions being
compromised and data being leaked that way, the rogue developer
harvesting data straight from the database, cookies being stolen via
XSS attacks etc.)