thojanssens1

thojanssens1

Phx.gen.auth – isn't the storage of the session token into a signed cookie an overkill?

When we generate a token, we store the token in a signed cookie (via Plug.Conn.put_session/3) as seen in the generated auth code below:

token = Accounts.generate_user_session_token(user)
user_return_to = get_session(conn, :user_return_to)

conn
|> renew_session()
|> put_session(:user_token, token)

However, as our sessions are stateful (tokens stored in database with account id), aren’t signed cookie an unnecessary overkill (and consuming some server resources to verify signatures for every single request unnecessarily)?

As the tokens are stored in the database with attached information (e.g. account id), all the cookie needs to store is that token. Signed cookies, except if I missed something here, are useful for storing data in the cookie and make sure that data has not been altered; data such as the account id in order to have stateless sessions.

Most Liked

josevalim

josevalim

Creator of Elixir

Plus the token stored in the session is not hashed. Which means that if you don’t want to sign the session, you will need to at least hash the token to avoid timing attacks. So we are avoiding some of the work if we know it is going to the session.

Also, when it comes to security, having redundant measures is a good thing. For example, if your session tokens table leaks or someone gets access to it, they still won’t be able to sign in as any user because the token is signed (which is why we either hash or sign all tokens).

BartOtten

BartOtten

This thread is kinda useless without a benchmark. Last decade CPU’s have optimizations for signing (and encrypting+decrypting) so I guess the overhead is way to low to bother. Changes are high you can find other code to optimize which in turn increases req/s by a lot more. When using a database, I am confident there is a config flag that will make more difference :slight_smile:

But to answer the question: anything not signed will be tampered with! Even when using a large random identifier, a hacker will try. And without rate limiting (cause it influences req/s) you can be sure they will succeed one day. When the session is signed, most hackers will continue to seek weaker spots (on somebody elses application)

Ps. Once you get hacked, the ‘avarage req/s of this year’ will take a huge blow! :wink: Be smart; sign.

Eiamnacken

Eiamnacken

Maybe another side helps.

Having the session signed helps with runtime performance. It is faster to check a signature instead of doing first a cash lookup and thereafter, a database lookup.

If we take the threat modeled by owasp for getting access to a generic account, an attacker who is doing a brute force attack which we can defend with using a long session token. Each request would hit the database, which is calling a tcp connection. It also does load to your database. And only after that you can block the request.

On the other hand, the signing is just a hmac. This is using sha2 which newer processor have hardware routines backed into. So, the cost is negligible. Hammering this endpoint will not result in a risk of overusing your database. I would not say, that this prevents the need of using a request limiter. You still want to implement something like this.

This does not prevent the access of a middler in the middle attack.

The other threat josevalim mentioned, an attacket that gained access to your data.

Without signing you have a problem because now you have to trust that your sessions a short living. But the default for the session is 60 days. So enough time for an attacker to do some nasty stuff. Signing prevents this. And the statistics say you should not ask if your database leaks, but rather when your database leaks. So assuming that your data from the database will be public sometime in the feature is a good measurement. Because of this, you should also encrypt all personal stuff in your database.

I hope this shade some light on why signing is a good idea.

Where Next?

Popular in Questions Top

Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
yawaramin
In the Dialyzer docs ( dialyzer — OTP 29.0.2 (dialyzer 6.0.1) ), there is a way to turn off a specific warning for a function: -dialyzer...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New

Other popular topics Top

siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

We're in Beta

About us Mission Statement