ktor icon indicating copy to clipboard operation
ktor copied to clipboard

Published 20 hours ago verified publisher icon ktorio

CookieConfiguration should default to secure configuration and require user opt-out

Open JLLeitschuh opened this issue 6 years ago • 6 comments

Ktor Version

master

Feedback

Currently, the configuration defaults for the Session CookieConfiguration defaults to an insecure configuration.

The power of defaults cannot be overstated in a security context.

Instead of defaulting to being insecure, the session cookie should instead default to secure.

Requiring the user to opt-out of the security of these Cookie protections means far fewer default servers will be vulnerable to HTTP downgrade attacks exposing session cookies and will prevent XXS attacks from being leveraged to steal sessions.

https://github.com/ktorio/ktor/blob/583760a04d07c985376ad2f19e656d365adb9a0f/ktor-server/ktor-server-core/jvm/src/io/ktor/sessions/SessionTransportCookie.kt#L83-L86

https://github.com/ktorio/ktor/blob/583760a04d07c985376ad2f19e656d365adb9a0f/ktor-server/ktor-server-core/jvm/src/io/ktor/sessions/SessionTransportCookie.kt#L88-L91

This is not technically a "security vulnerability", it's just an insecure default. This is not unique to Ktor, many libraries default to this "insecure by default" model, but there's no reason why Ktor needs to help perpetuate the insecurity.

I might classify this under CWE-276: Incorrect Default Permissions.

JLLeitschuh avatar Apr 26 '19 16:04 JLLeitschuh

I completely agree with httpOnly option that could be safely made true by default. The first one can't be true by default since it will never work in development environment that is very annoying, so all developers will simply disable this option forever and most likely there will be tons of open tickets about "sessions do not work"

cy6erGn0m avatar Apr 29 '19 07:04 cy6erGn0m

@cy6erGn0m (The start of a potentially bad thought) Is there any good way to detect a development vs production environment and enable this?

Or perhaps auto enable when TLS is enabled?

This might all just be a terrible idea, and I respect that.

I completely agree with httpOnly option that could be safely made true by default.

I agree, thank you for being willing to make the change.

JLLeitschuh avatar Apr 29 '19 14:04 JLLeitschuh

The other problem is that making it secure = true by default will lead to not working sessions over non-tls connector without any diagnostics so one wouldn't be able to understand why it doesn't work. Always throwing an exception at attempt to set session would be too rough...

cy6erGn0m avatar Apr 30 '19 21:04 cy6erGn0m

@cy6erGn0m Can you add a disclaimer to the documentation with a big warning telling users to enable this feature before shipping to production?

JLLeitschuh avatar May 01 '19 14:05 JLLeitschuh

Yes, good idea

cy6erGn0m avatar May 08 '19 22:05 cy6erGn0m

Please check the following ticket on YouTrack for follow-ups to this issue. GitHub issues will be closed in the coming weeks.

oleg-larshin avatar Aug 10 '20 15:08 oleg-larshin