Secure/bullet proof cookies

Published 17th May 2008

There seems to be a discussion about bullet proof cookies lately and I'm quite surprised that most web developers haven't read the excellent "A Secure Cookie Protocol" research paper from Alex X. Liu.

Here's a short summary of what services a bullet proof cookie should provide:

• Authentication Verify that the client has been authenticated within a certain time period.
• Confidentiality
  • Low-level Prevent any parties except the user and the server from reading the cookie data.
  • High-level Prevent any parties except the server from reading the cookie data.
• Integrity The server should be able to detect if a cookie has been modified.
• Anti-Replay Stolen cookies should be detected as invalid.

Confidentiality

In my opinion, high-level confidentiality is unnecessary. I think Marcus R. Breese describes this best in his blog:

"Specifically, my rule of thumb is that if you don’t want a client to know the data, don't send it to them."

I totally agree with him and further think that cookies should be used for authentication only, and that the data should be stored in the database.

Example: Wordpress

Wordpress 2.5 introduced a similar structure for its cookies as the one proposed in the research paper. In Wordpress 2.5 cookies have the following structure:

user name|expiration time|HMAC(user name|expiration time, k)
where k=HMAC(user name|expiration time, sk)
and sk=secret server key

Therefore a normal Wordpress cookie looks like this:

admin|1212093864|82436be3x303xaddd6fd31db338770a6

There are two points which are different from the originally proposed cookie protocol from Alex X. Liu.

The first one is that there's no data attached to this cookie - it's only used to authenticate the user. The second one is that there's no SSL session key attached.

Removing the SSL session key was not a good (vulnerable to replay attacks) but necessary choice since most Wordpress installations run on non-SSL hosts.