Good article, but one thing is explained in a weird way:
Don't bother with cookie expiration. That's the wrong approach, because the cookie is controlled by the user. Always do a server-side check whether or not the auth token in the cookie is allowed to continue the session.
So you could simply set the expiration date for a cookie until 2030 but make sure that the auth token from that cookie cannot be used after $EXPIRATION_TIMESTAMP on the server.
You could also follow a layered approach:
If the user logs in every few days, re-authenticate him using the auth token from the cookie. But if the user was seen more than $MAX_INACTIVE_DAYS ago, do not re-authenticate and terminate all sessions, even if the "remember me" function is set to half a year or so.
I wouldn't go as far as "Don't bother with cookie expiration.", but you're certainly right in that you can't _rely_ on "the browser" to honor them (or even actually be a browser).
I'd still recommend setting reasonable expirations, even if it's only to be seen to be doing the right thing. Far future expirations aren't useful (as you explain) and they only serve to make it look like you're "doing in wrong". (And, for the 99.9% case of non-malicious regular users, expiring the cookies normally saves the sever the effort of looking up the session state of an already expired session with a 2030 expiry cookie. Don't _rely_ on it, but take advantage of it working right under normal conditions.)
Good point, but your explanation is also a bit confusing. If I understand correctly, your point is not so much "don't bother with cookie expiration" as "don't trust cookies to expire when you tell them to". In other words, the server should double-check cookie expiration dates because you don't want somebody fudging your 7-day cookie and using it to log in next year. Am I right?
> A more pragmatic mitigation is to still separate the auth cookie from a dedicated “remember me” cookie and use the latter to re-authenticate the user but impose some restrictions.
What are the benefits of using a separate cookie for the "remember me" feature, provided that you impose the same restrictions (e.g. requiring the password again before accessing sensitive areas of the website) and same security measures like "httponly" & "secure"?
I've been using a single cookie with a randomly generated and periodically replaced session identifier, which expires at the end of the session by default but lasts longer if the user selects "remember me". I'd like to know whether there is a compelling reason to switch to two cookies.
One significant benefit is being able to enforce a one-time use policy the remember-me cookie. If you only utilize it when the user is not logged in, then you use it to authenticate, set a regular session cookie, and generate a new remember-me cookie. If an old remember-me cookie is ever used that means someone probably sniffed the cookie, and you can invalidate all sessions at that point and even force a password reset if you are particularly paranoid. You can't do this with the regular session cookie because a user might have multiple tabs open. For remember-me the same effect is only a race condition if the user opens two tabs simultaneously.
It slightly lowers the attack cross-section. If you implement the separate login cookie scheme described in the linked article[2] you also get a limited ability to detect hijacked sessions and limit the length of time an attacker has access to the account.
[1] "One argument against long expiration of auth cookies is that they’re effectively keeping the user authenticated and at risk of attacks such as CSRF or clickjacking. Of course the application needs to exhibit other risks in order for an attacker to capitalise on the long lasting cookie but the whole defence in depth argument comes up again."
I think the restrictions are things like restricting by IP, reducing simultaneous use, throttling the rate you can create new sessions.
With a unified token, you have to always trust it for as long as the 'remember me' token is alive. With split tokens, you can do a sanity checks like those mentioned above on every session initialisation.
The value of splitting the tokens into separate cookies seems to be simplicity of implementation. You can rely on the browser to invalidate the session cookie on a browser close, but leave the 'remember me' cookie (as far as you can rely on the browser to do anything).
Every useful restriction I can think of seems brittle, so I guess it's weighing up security against support.
Remember me cookies are a specific case of some data sent to the client that the server would like to verify at a later point in time. The most direct way that comes to mind for solving this type of problem is to send the client just a random identifier and have the server look it up in a persistent store upon use.
The other way of solving it is to have the server sign whatever data is sent to the client via an HMAC. That combined with some basic serialization gets you a generic approach that you can use for all kinds of things. This also has the scalable benefit that it doesn't require a centralize persistent store.
Here's a high level summary of how we handle these use cases:
# Server -> Client (Assume server wants to round trip object X)
1. Server serializes X to a URL friendly string (JSON + Base64 works well enough for this)
2. Server calls generateToken(type, message, expiration) which signs the message/expiration with secretKey+type. It then returns a JSON/Base64 serialized map containing message/expiration/hmac.
# Client -> Server
1. Client sends back the final JSON/Base64 string
2. Server decodes and extracts the message, expiration, and hmac
3. Server verifies the HMAC by regenerating it and comparing it against the client supplied one
4. Server verifies the expiration date hasn't passed
5. Server returns back the deserialized object
Couple of notes:
* The HMAC prevents the client from tampering with the message
* The 'type' field is so that tokens generated for one request type cannot be accepted somewhere else in the application. It's kind of like namespacing.
* The 'type' field does not need to be included in the message itself. It's inferred by the server based on the client request type.
* The object/message itself can be blank. In that case this becomes a secure expiring token.
Couple of possible extensions/improvements:
* If the data being sent back/forth is particularly sensitive you could also have the server encrypt either it or the entire message itself. If it's not though then it would be overkill.
* Including the requesting clients IP in the HMAC generation to further limit the set of user's it would validate against is an option as well though generally that's a bad idea. People's IP addresses change fairly often and that kills the basic use case of taking your work home with you.
This is where most cookie schemes wind up -- sending and retrieving HMACs.
I wrote my honours dissertation on an opt-in scheme that used cookies, HTTPS and javascript to track users visiting multiple websites.
What you have here is what I called "Protocol 1": the first elaboration of the naive protocol. An additional elaboration (Protocols 2 and 3) is to remove user identification from cookies entirely. Each cookie is regenerated on each HTTP request with a new ID and HMAC. This means that if a cookie is successfully harvested, its useful lifetime is limited.
There are more attacks after this. I got as far as Protocol 10; it transpires that Protocol 10 is broken anyhow. Depending on the sophistication of your attacker, there's no safe way to do what I was trying to do.
> The most direct way that comes to mind for solving this type of problem is to send the client just a random identifier and have the server look it up in a persistent store upon use.
This is my preferred approach. I generate random 128-bit integers (using a random number generator who's purpose is to be used for cryptography purposes, so it's hard to observe) and store these in Redis with a year expiry, and send them back to the client to store in a cookie. When this token in the cookie is used, the TTL on the token is reduced to 5 minutes, which lets power users up multiple tabs at once. It's the simplest, but also most robust way, I've found to deal with this.
The cleverer I try and be, the more I tend to mess these things up.
This is a good approach for a lot of things. It's the approach Flask uses for its session data by default. I wouldn't recommend it for authentication in large deployments though.
One thing that it doesn't allow for is revocation of individual tokens. Invalidating auth tokens centrally is a very useful capability to have.
It's also possible to make the cookies non-exportable using a similar technique called channel binding[1], where the cookie is linked to the TLS channel it's minted over.
This is a lot more powerful than baking in the IP address when HMAC-ing the cookie but requires modification to the browser and server to get it up and running.
Regarding how long to keep the "remember me" cookie for, this is one of the overlooked reasons why native apps are eating the web's breakfast. When was the last time you have to re-authenticate on a native mobile app?
Maybe it happens on some finance/banking apps, but I don't recall seeing it on apps like Facebook or Kindle for example.
Web developers could, for example, add longer times if the user agent is mobile.
And Troy is spot on about the middle ground of "logged-in-ness". Developers are finally realising what Amazon knew all along, that it's not binary. You can keep the user partially logged in, while requiring authentication to perform sensitive tasks.
Yup. Mozilla persona browser integration should already be here. Then, web apps can delegate auth to the browser much as native apps delegate to the operating system.
How does the "reference implementation" of ASP.NET actually work? Is the cookie's value mapped to some in-memory entry in the application server, is it stored in a database, etc? It seems that the article doesn't say.
> Is the cookie's value mapped to some in-memory entry in the application server, is it stored in a database, etc?
Neither. At login the server signs the new session cookie with a secret application key. Later, when a client requests a page and sends over the session cookie, the server verifies the signature. If it matches, the data in the session cookie -- which usually includes the username, whether they're logged in, and for how long -- can be trusted.
This is nice because it makes scaling a stateful site easier. Server-side session stores often become the bottleneck. Also, from a REST standpoint, updating a session database during a GET request (eg to freshen the session) is problematic.
ASP.net was the first time I remember seeing the signed session cookie trick, but most web frameworks have it now:
Most of this discussion I understand. One point
is, it all involves lots of work with browser
cookies stored on the user's computer.
My approach so far is to send the user
the character string version of a GUID
(globally unique identifier, supposely
unique in all space and time, on all computers
or some such) in an HTML text box marked
as "hidden" so that it doesn't show on the
screen. Then I use that GUID value as
a key in a key-value store where the value
keeps the short term info I want on the
user and their 'session'. I wrote my
own little key-value store with TCP/IP,
some class instance de/serialization,
and two instances of a .NET collection
class.
However, my understanding is that some browsers
are willing to help implement the function
"Remmeber me on this computer" without help of
cookies. How? My guess: For the text boxes on the
login in Web page, in the HTML use names
for the boxes that the browser interprets
as 'user name' and 'password', and then
the browser stores the contents
in its dedicated disk space
by Web page. Right?
So, there's a 'security hole' here
if the user is on a computer shared
with other people!
Also, my understanding is that
so far on mobile devices, the browsers
do not permit cookies. True? And
if so, do mobile browsers permit
the function of remember me I
described above?
You are a bit confused, but I'm not sure why you're being downvoted...
> GUID
GUIDs are really not the best idea, they can be (sort of) predicted - an attacker can guess which GUIDs are in use as session identifiers. Better to use a random string (generated by a cryptographic random number generator)
> without cookies
Browsers can store user's password when they request it. It is a security hole, consciously made by the user for added convenience. Also, only the user who made this decision can fall into this hole - it's his credentials that get stolen.
> mobile devices ... do not permit cookies
they do (although some might not store the cookies for as long as the expiration would require). However, they don't allow the user to store the password (as in the previous paragraph, the remember me function as you call it)
To round it up, it's a good thing you're experimenting with your own key/value store and session implementation, but it's usually better to use tested components in production (especially for the session stuff - it's very easy to get wrong). Anyway, keep experimenting, that's the best way to learn - I just hope somebody reviews your stuff before you shoot yourself in the foot :)
I tend to like doing: sha256(sha256($password) . $ip)
This encrypts the password and makes the cookie only usable by the IP it was set for. Then to verify the cookie, since I already store sha256 of the password, it's trivial to do, without having to store an additional token for persistence. Of course you can replace sha256 with your fav hashing function.
What if the user gets their session hijacked when they're on a static or long-term dynamic IP? If the user were to relogin, their session ID would be the same. I think it would be beneficial to at least store a salt associated with their session and regenerate the salt when authenticating.
In most parts of the world, users have dynamic IP's that change every time they connect to their ISP (often multiple times/day in the case of home users)
Remembering the username can be pretty useful, especially if you find yourself in a place where you common usernames are taken on other sites and you have to use different usernames in different places.
Being reminded of a username could also be helpful if you have more
than one username at a given site - for instance, personal and
business accounts for a bank or credit card site, per-project
accounts for a contractor, etc.
Not to mention the sheer convenience of one less thing to type--especially helpful if you are on a mobile device, where typing is still a pain vs. on a full keyboard.
Client generates random value, puts it into cookie and passes it to server along with valid credentials. Server remebers it for this user and whenever at later time it sees this value in the cookie it logs in this user. Server forgets this value when this user logs out and after some time.
If client does't have javascript or you don't trust randomness it can generate you can create this value on server and make the server set this cookie when it responds to login.
What is the point of generating this value on the client? The second scenario you describe seems to work the same, minus the need to generate values on the client, with the same outcome.
There's a lot of misinformation in this thread, so I'm going to describe best practice for this sort of thing.
1. The client authenticates, and asks to be remembered.
2. The server generates a cryptographically random token of at least 128 bits in length. This token is *never* directly stored server-side.
3. The hash (or, possibly, a slow-hash) of the token is saved in the database along with a time of expiry
4. The non-hashed token is sent to the client as a cookie completely independent of the session cookie
When the client visits the website:
1. The server checks for the presence of the remember-me cookie
2. If the cookie is set, it is hashed and this hash is searched for in the database (and filtered to tokens with expiry times after now)
3. If the user is successfully logged in, the old token is deleted from the database. A new token is generated and sent to the client by the previously-described process
Now for a little bit of explanation.
This process completely isolates the authentication token from the session. If a token is somehow intercepted or discovered by an attacker, it is only usable for a single session. Such tokens should never be allowed to serve as permanent entry points into a user's account.
The token is never directly stored server-side. This confers two benefits. First, these tokens should be considered password-equivalent — if someone manages to steal your table of remember-me tokens, they would be completely unable to use them to log into a user's account. Second, this prevents timing attacks; if you simply looked for matching tokens in your database, an attacker can (shockingly simply) use timing information to guess a user's remember-me token in O(n) time.
I don't see why you have to store the hash of the token. You know the key you used for HMACing, why can't you just check that the cookie contains a valid hash of the rest of its data (which is as extensive as you need: session id, expiry, IP, whatever)? To prevent the use of old sessions just make the session id a counter. A single session counter per user is probably less hassle (and more useful) to store than the whole hash.
> What this means is that client script can access those cookies which means that if you can get a piece of XSS onto the site – just as you can on the Aussie Farmers site – you can steal cookies containing passwords if you can get a customer to load the XSS payload
The author is saying that, putting the password in a cookie means that, if there is an XSS vulnerability somewhere, it can be trivially used to steal usernames and passwords, since the XSS can be used to inject code on the site that can grab the values from document.cookie and append them to a hidden iframe.
It's really unclear, but I think it's a loose reference to an older hack that involves patching javascript's Array to steal data when parsing JSON. The references to 'old array' and 'new array' in the screenshot seem to be the tipoff. This is my best guess at least.
I don't know if it's what Troy was implying, but JSON as a cookie payload along with the seemingly ubiquitous "parsing JSON using YAML and the YAML parser executing it as arbitrary code" vulnerability seems like it'd at least be worth attempting to attack there.
(Probably not what Troy was thinking, since that'd result in server-side SQLi or arbitrary code execution problems, not client-side ones like XSS. Also, I thnik Troy is more a .Net/asp kind of guy, not a Ruby-ist - which might make that YAML parser issue in Ruby/Rails not something he's concerned about)
[+] [-] WA|12 years ago|reply
Don't bother with cookie expiration. That's the wrong approach, because the cookie is controlled by the user. Always do a server-side check whether or not the auth token in the cookie is allowed to continue the session.
So you could simply set the expiration date for a cookie until 2030 but make sure that the auth token from that cookie cannot be used after $EXPIRATION_TIMESTAMP on the server.
You could also follow a layered approach:
If the user logs in every few days, re-authenticate him using the auth token from the cookie. But if the user was seen more than $MAX_INACTIVE_DAYS ago, do not re-authenticate and terminate all sessions, even if the "remember me" function is set to half a year or so.
[+] [-] bigiain|12 years ago|reply
I'd still recommend setting reasonable expirations, even if it's only to be seen to be doing the right thing. Far future expirations aren't useful (as you explain) and they only serve to make it look like you're "doing in wrong". (And, for the 99.9% case of non-malicious regular users, expiring the cookies normally saves the sever the effort of looking up the session state of an already expired session with a 2030 expiry cookie. Don't _rely_ on it, but take advantage of it working right under normal conditions.)
[+] [-] kijin|12 years ago|reply
[+] [-] kijin|12 years ago|reply
What are the benefits of using a separate cookie for the "remember me" feature, provided that you impose the same restrictions (e.g. requiring the password again before accessing sensitive areas of the website) and same security measures like "httponly" & "secure"?
I've been using a single cookie with a randomly generated and periodically replaced session identifier, which expires at the end of the session by default but lasts longer if the user selects "remember me". I'd like to know whether there is a compelling reason to switch to two cookies.
[+] [-] dasil003|12 years ago|reply
[+] [-] mmcnickle|12 years ago|reply
It slightly lowers the attack cross-section. If you implement the separate login cookie scheme described in the linked article[2] you also get a limited ability to detect hijacked sessions and limit the length of time an attacker has access to the account.
[1] "One argument against long expiration of auth cookies is that they’re effectively keeping the user authenticated and at risk of attacks such as CSRF or clickjacking. Of course the application needs to exhibit other risks in order for an attacker to capitalise on the long lasting cookie but the whole defence in depth argument comes up again."
[2] http://jaspan.com/improved_persistent_login_cookie_best_prac...
[+] [-] ajanuary|12 years ago|reply
With a unified token, you have to always trust it for as long as the 'remember me' token is alive. With split tokens, you can do a sanity checks like those mentioned above on every session initialisation.
The value of splitting the tokens into separate cookies seems to be simplicity of implementation. You can rely on the browser to invalidate the session cookie on a browser close, but leave the 'remember me' cookie (as far as you can rely on the browser to do anything).
Every useful restriction I can think of seems brittle, so I guess it's weighing up security against support.
[+] [-] jbri|12 years ago|reply
[+] [-] sehrope|12 years ago|reply
The other way of solving it is to have the server sign whatever data is sent to the client via an HMAC. That combined with some basic serialization gets you a generic approach that you can use for all kinds of things. This also has the scalable benefit that it doesn't require a centralize persistent store.
Here's a high level summary of how we handle these use cases:
# Server -> Client (Assume server wants to round trip object X)
# Client -> Server Couple of notes:* The HMAC prevents the client from tampering with the message
* The 'type' field is so that tokens generated for one request type cannot be accepted somewhere else in the application. It's kind of like namespacing.
* The 'type' field does not need to be included in the message itself. It's inferred by the server based on the client request type.
* The object/message itself can be blank. In that case this becomes a secure expiring token.
Couple of possible extensions/improvements:
* If the data being sent back/forth is particularly sensitive you could also have the server encrypt either it or the entire message itself. If it's not though then it would be overkill.
* Including the requesting clients IP in the HMAC generation to further limit the set of user's it would validate against is an option as well though generally that's a bad idea. People's IP addresses change fairly often and that kills the basic use case of taking your work home with you.
[+] [-] jacques_chester|12 years ago|reply
I wrote my honours dissertation on an opt-in scheme that used cookies, HTTPS and javascript to track users visiting multiple websites.
What you have here is what I called "Protocol 1": the first elaboration of the naive protocol. An additional elaboration (Protocols 2 and 3) is to remove user identification from cookies entirely. Each cookie is regenerated on each HTTP request with a new ID and HMAC. This means that if a cookie is successfully harvested, its useful lifetime is limited.
There are more attacks after this. I got as far as Protocol 10; it transpires that Protocol 10 is broken anyhow. Depending on the sophistication of your attacker, there's no safe way to do what I was trying to do.
[+] [-] ocharles|12 years ago|reply
This is my preferred approach. I generate random 128-bit integers (using a random number generator who's purpose is to be used for cryptography purposes, so it's hard to observe) and store these in Redis with a year expiry, and send them back to the client to store in a cookie. When this token in the cookie is used, the TTL on the token is reduced to 5 minutes, which lets power users up multiple tabs at once. It's the simplest, but also most robust way, I've found to deal with this.
The cleverer I try and be, the more I tend to mess these things up.
[+] [-] mmcnickle|12 years ago|reply
One thing that it doesn't allow for is revocation of individual tokens. Invalidating auth tokens centrally is a very useful capability to have.
[+] [-] kniht|12 years ago|reply
This is a lot more powerful than baking in the IP address when HMAC-ing the cookie but requires modification to the browser and server to get it up and running.
[1] http://www.browserauth.net/channel-bound-cookies
[+] [-] mmahemoff|12 years ago|reply
Maybe it happens on some finance/banking apps, but I don't recall seeing it on apps like Facebook or Kindle for example.
Web developers could, for example, add longer times if the user agent is mobile.
And Troy is spot on about the middle ground of "logged-in-ness". Developers are finally realising what Amazon knew all along, that it's not binary. You can keep the user partially logged in, while requiring authentication to perform sensitive tasks.
[+] [-] winthrowe|12 years ago|reply
All the time. The Facebook android app is horrible.
[+] [-] sergiosgc|12 years ago|reply
[+] [-] brown9-2|12 years ago|reply
[+] [-] sigil|12 years ago|reply
Neither. At login the server signs the new session cookie with a secret application key. Later, when a client requests a page and sends over the session cookie, the server verifies the signature. If it matches, the data in the session cookie -- which usually includes the username, whether they're logged in, and for how long -- can be trusted.
This is nice because it makes scaling a stateful site easier. Server-side session stores often become the bottleneck. Also, from a REST standpoint, updating a session database during a GET request (eg to freshen the session) is problematic.
ASP.net was the first time I remember seeing the signed session cookie trick, but most web frameworks have it now:
django -- https://docs.djangoproject.com/en/dev/topics/http/sessions/#...
rails -- http://guides.rubyonrails.org/security.html#session-storage
flask -- http://flask.pocoo.org/docs/api/#sessions
node -- https://github.com/mozilla/node-client-sessions
mojolicious -- http://toroid.org/ams/etc/mojolicious-session-cookies
[+] [-] graycat|12 years ago|reply
Most of this discussion I understand. One point is, it all involves lots of work with browser cookies stored on the user's computer.
My approach so far is to send the user the character string version of a GUID (globally unique identifier, supposely unique in all space and time, on all computers or some such) in an HTML text box marked as "hidden" so that it doesn't show on the screen. Then I use that GUID value as a key in a key-value store where the value keeps the short term info I want on the user and their 'session'. I wrote my own little key-value store with TCP/IP, some class instance de/serialization, and two instances of a .NET collection class.
However, my understanding is that some browsers are willing to help implement the function "Remmeber me on this computer" without help of cookies. How? My guess: For the text boxes on the login in Web page, in the HTML use names for the boxes that the browser interprets as 'user name' and 'password', and then the browser stores the contents in its dedicated disk space by Web page. Right?
So, there's a 'security hole' here if the user is on a computer shared with other people!
Also, my understanding is that so far on mobile devices, the browsers do not permit cookies. True? And if so, do mobile browsers permit the function of remember me I described above?
Thanks.
[+] [-] yread|12 years ago|reply
> GUID
GUIDs are really not the best idea, they can be (sort of) predicted - an attacker can guess which GUIDs are in use as session identifiers. Better to use a random string (generated by a cryptographic random number generator)
> without cookies
Browsers can store user's password when they request it. It is a security hole, consciously made by the user for added convenience. Also, only the user who made this decision can fall into this hole - it's his credentials that get stolen.
> mobile devices ... do not permit cookies
they do (although some might not store the cookies for as long as the expiration would require). However, they don't allow the user to store the password (as in the previous paragraph, the remember me function as you call it)
To round it up, it's a good thing you're experimenting with your own key/value store and session implementation, but it's usually better to use tested components in production (especially for the session stuff - it's very easy to get wrong). Anyway, keep experimenting, that's the best way to learn - I just hope somebody reviews your stuff before you shoot yourself in the foot :)
[+] [-] dendory|12 years ago|reply
This encrypts the password and makes the cookie only usable by the IP it was set for. Then to verify the cookie, since I already store sha256 of the password, it's trivial to do, without having to store an additional token for persistence. Of course you can replace sha256 with your fav hashing function.
[+] [-] sehrope|12 years ago|reply
Storing SHA-256 of passwords is a bad idea. You should use either scrypt, bcrypt, or at the very least PBDKF2 (with a large number of rounds).
For a signed token round tripped to the client you should use an HMAC[1].
[1]: http://en.m.wikipedia.org/wiki/Hash-based_message_authentica...
[+] [-] danielweber|12 years ago|reply
[+] [-] atburrow|12 years ago|reply
sha256($password . $ip . $random_salt)
You could also regenerate the salt periodically.
[+] [-] markdown|12 years ago|reply
[+] [-] unclebucknasty|12 years ago|reply
There's just no value in using the password as a basis. Why not instead just generate a random, unique token?
[+] [-] danielweber|12 years ago|reply
[+] [-] dmckeon|12 years ago|reply
[+] [-] unclebucknasty|12 years ago|reply
[+] [-] scotty79|12 years ago|reply
Client generates random value, puts it into cookie and passes it to server along with valid credentials. Server remebers it for this user and whenever at later time it sees this value in the cookie it logs in this user. Server forgets this value when this user logs out and after some time.
If client does't have javascript or you don't trust randomness it can generate you can create this value on server and make the server set this cookie when it responds to login.
[+] [-] brown9-2|12 years ago|reply
[+] [-] stouset|12 years ago|reply
This process completely isolates the authentication token from the session. If a token is somehow intercepted or discovered by an attacker, it is only usable for a single session. Such tokens should never be allowed to serve as permanent entry points into a user's account.
The token is never directly stored server-side. This confers two benefits. First, these tokens should be considered password-equivalent — if someone manages to steal your table of remember-me tokens, they would be completely unable to use them to log into a user's account. Second, this prevents timing attacks; if you simply looked for matching tokens in your database, an attacker can (shockingly simply) use timing information to guess a user's remember-me token in O(n) time.
[+] [-] jessaustin|12 years ago|reply
[+] [-] thesis|12 years ago|reply
[+] [-] yahelc|12 years ago|reply
The author is saying that, putting the password in a cookie means that, if there is an XSS vulnerability somewhere, it can be trivially used to steal usernames and passwords, since the XSS can be used to inject code on the site that can grab the values from document.cookie and append them to a hidden iframe.
[+] [-] bemurphy|12 years ago|reply
See http://flask.pocoo.org/docs/security/#json-security for info. Most modern browsers don't let you patch Array like this anymore.
Also, that's more a csrf issue so, I could be totally wrong.
[+] [-] bigiain|12 years ago|reply
(Probably not what Troy was thinking, since that'd result in server-side SQLi or arbitrary code execution problems, not client-side ones like XSS. Also, I thnik Troy is more a .Net/asp kind of guy, not a Ruby-ist - which might make that YAML parser issue in Ruby/Rails not something he's concerned about)
[+] [-] wasd|12 years ago|reply