django-cookie-consent icon indicating copy to clipboard operation
django-cookie-consent copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Signed Cookies

Open some1ataplace opened this issue 3 years ago • 1 comments

I am wondering if we could use signed cookies anywhere in django-cookie-consent. Maybe we could turn the settings COOKIE_CONSENT_NAME cookie into a signed cookie?

https://code.djangoproject.com/wiki/Signing

https://docs.djangoproject.com/en/4.0/ref/request-response/#django.http.HttpRequest.get_signed_cookie

https://docs.djangoproject.com/en/4.0/ref/request-response/#django.http.HttpResponse.set_signed_cookie

https://stackoverflow.com/questions/6468507/what-are-signed-cookies-and-why-are-they-useful

https://stackoverflow.com/questions/12142058/performance-comparison-of-using-django-signed-cookie-session-over-django-db-ca

https://www.reddit.com/r/crypto/comments/esahns/why_does_a_server_sign_a_cookie/

For example, we can do something like this in util.py:

def set_cookie_dict_to_response(response, dic):
    if settings.COOKIE_CONSENT_SIGNED:
        response.set_signed_cookie(settings.COOKIE_CONSENT_NAME,
                            dict_to_cookie_str(dic),
                            expires=settings.COOKIE_CONSENT_MAX_AGE,
                            domain=settings.COOKIE_CONSENT_DOMAIN,
                            samesite=settings.COOKIE_CONSENT_SAMESITE,
                            secure=settings.COOKIE_CONSENT_SECURE,
                            httponly=settings.COOKIE_CONSENT_HTTPONLY
                            )

conf.py:

SIGNED = True

If I do this though, it works in the browser but tests will fail when running python3 tests/manage.py test:

ERROR: test_get_success_url (tests.core.tests.test_views.CookieGroupBaseProcessViewTests) If user adds a 'next' as URL parameter it should, cookie_consent/util.py", line 24, in parse_cookie_str key, value = c.split("=") ValueError: not enough values to unpack (expected 2, got 1)

FAIL: test_cookies (tests.core.tests.test_views.IntegrationTest) tests/core/tests/test_views.py", line 116, in test_cookies self.assertContains(response, '"optional" cookies declined') AssertionError: False is not true : Couldn't find '"optional" cookies declined' in response

FAIL: test_decline_cookie (tests.core.tests.test_views.IntegrationTest) tests/core/tests/test_views.py", line 81, in test_decline_cookie AssertionError: False is not true : Couldn't find 'Declined' in response

some1ataplace avatar Mar 03 '22 20:03 some1ataplace

it's not immediately clear to me what the benefit is? signing cookies is usually used as an alternative to storing (session) data in the database and read the (session) data directly from the cookie since you can trust it, but that behaviour is already the case - in https://github.com/bmihelac/django-cookie-consent/blob/master/cookie_consent/util.py#L44 the consent state is read from the cookie directly and matched against the cookie group definitions in the database. That last thing is not something you can avoid with signed cookies.

Additionally, I'm not sure I can see a problem if the end-user changes the value of the cookie - they're just changing their consent information in essence and this is equivalent to accepting/rejecting particular cookie groups through the views themselves - the end result is the same and there is no inherent security risk involved.

sergei-maertens avatar Mar 10 '22 22:03 sergei-maertens

A signed cookie is a type of cookie that is signed using a secret key to ensure that the cookie has not been tampered with. In web applications, cookies are often used to store user information on the client-side. However, if a cookie is not secure, it can be easily modified by an attacker. A signed cookie helps prevent that from happening by adding an extra layer of security.

Here are a few key benefits of using signed cookies:

  1. Integrity: By signing a cookie, we ensure that it has not been altered between the time it was created and the time it is accessed. This provides a mechanism to verify that the cookie data is still valid.

  2. Security: Signed cookies add an extra layer of security to the cookie data. This is important because cookies can contain sensitive information, such as login credentials or user data.

  3. Simplicity: Signed cookies are easy to implement and work seamlessly with most web frameworks. You can sign a cookie using a secret key, and verify the signature using the same key when the cookie is accessed.

While it's true that signed cookies are often used to prevent malicious tampering with cookies, signing cookies can also provide benefits even if the cookies are not being explicitly tampered with, such as in this case with cookie consent.

One benefit of using signed cookies for cookie consent is that it ensures that the cookie has not been accidentally modified in transit. If an application is using unsigned cookies, it would be possible for a browser plugin, a proxy or a network attacker to modify the cookie, even if they are not intending to do so maliciously. This could result in the user's consent being lost or overridden, which could potentially cause issues with compliance or user trust.

Another benefit of using signed cookies is that it can help prevent a type of attack called "cookie replay attack". In this attack, an attacker intercepts a cookie sent from a user to a server and then replays the same cookie at a later time to gain unauthorized access to the server. By using signed cookies, this kind of attack can be prevented because the server will be able to detect if the cookie has been modified or if it has been replayed.

Regarding the argument that there is no inherent security risk involved if the end-user changes the value of the cookie, it's worth noting that this is partially true. While changing the value of a cookie may not directly pose a security risk, it could potentially violate user privacy or compromise data integrity if the cookie is being used to store sensitive information. In the case of cookie consent, if the user is able to modify the value of the cookie, it could potentially cause issues with compliance or user trust, as mentioned earlier.

Overall, while signed cookies may not be necessary for every use case of cookies, they can provide an extra layer of security and ensure the integrity of data stored in cookies to prevent accidental or malicious tampering.

some1ataplace avatar Mar 24 '23 03:03 some1ataplace

I'm going to mark this as wontfix. If your infrastructure is changing cookies (intended or not), fix your infrastructure.

The replay attacks do not apply at all. They are relevant for authentication credentials, but these cookies to track consent aren't credentials, there's no risk in "replaying" them.

Proxies can read the entire HTTP request and responses to be able to function, so you'll always have that privacy concern. Again, ensure you trust your infrastructure. Signing does not make any difference, for that you would need encryption anyway, and that breaks reading the cookies from javascript.

sergei-maertens avatar Mar 24 '23 09:03 sergei-maertens