Friday, February 11, 2011

springs authentication, does it use encrypted cookies?

Does the spring framework use (or in one of the options that it supports) encrypted cookies that store the logged in users userId in a cookie?

This is how asp.net authentication works, where it encrypts a value in a cookie, which is normally the userId or username.

Is that what spring does? (I realize spring let's you choose, but is this the most common approach generally?)

  • Storing user ID or any kind of data the server relies upon is a terrible idea. It typically means as soon as someone figures out how your encryption works (which is only a matter of time, particularly when they have a crib as user IDs tend to be public too) they can probably compromise your system.

    In case you're wondering what a "crib" is. see Cryptography FAQ (03/10: Basic Cryptology):

    Cryptanalytic methods include what is known as practical cryptanalysis'': the enemy doesn't have to just stare at your ciphertext until he figures out the plaintext. For instance, he might assumecribs''---stretches of probable plaintext. If the crib is correct then he might be able to deduce the key and then decipher the rest of the message. Or he might exploit ``isologs''---the same plaintext enciphered in several cryptosystems or several keys. Thus he might obtain solutions even when cryptanalytic theory says he doesn't have a chance.

    Java Web apps typically just store a session ID and that session on the serverside contains such information as user ID. That's much more secure.

    mrblah : Funny how MS doesn't think so :) Probably 95% of .net apps store either the user id or username in the cookie!
    matt b : do you have a source for this claim?
    cletus : If you have a system where the user just needs to figure out a) what encryption algorithm you use (usually pretty obvious) and b) what the encryption key is (for which you may have one or many cribs) in order to log in as anybody then you don't need to prove that system isn't insecure. It's basic commonsense.
    mrblah : @matt look here: http://msdn.microsoft.com/en-us/library/aa480476.aspx see: FormsAuthentication.SetAuthCookie(userName.Text, false);
    From cletus
  • I don't have the source handy to prove this, but the answer to the question is no.

    Spring Security handles everything on the server side. The only cookie on the client is the one for JSESSIONID, and the security framework merely checks for the authentication/principal object in the request's session (at least under the default setup).

    I don't understand why you would store any sort of authentication information in the client's cookie if you could simply store a sessionID and track authentication details and state on the server side.

    mrblah : sessions are bound to a specific server.
    matt b : and a load balancer with sticky sessions makes that a moot point
    mrblah : true, but who wants sticky sessions if you have other options.
    matt b : people that don't want to put user information in cookies or worry about encryption :) or apps that need to maintain state during a user's session.
    From matt b

0 comments:

Post a Comment