public/owltide
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Include the name of the cookie in the signature

Browse source 
If a cookie is signed for one purpose, but the server also uses a
differently named signed cookie name for another purpose, then it's
possible for a malicious client to substitute the value of one signed
cookie with the value of another and have it pass the signature check.

Include the name of the cookie when computing the signature so that no
cookies signed for example for "user_session" can be used as a value for
a hypothetical "admin_session" cookie.
This commit is contained in:
Hornwitser 2025-04-02 23:13:06 +02:00 committed by Hornwitser
parent a16921f264
commit c9976af26b
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server/utils/signed-cookie.ts
View file

@ -17,7 +17,7 @@ export async function useCookieSecret(event: H3Event) {
export async function setSignedCookie(event: H3Event, name: string, value: string, maxAge?: number) {
const secret = await useCookieSecret(event);
const signature = await crypto.subtle.sign("HMAC", secret, Buffer.from(value));
const signature = await crypto.subtle.sign("HMAC", secret, Buffer.from(`${name}=${value}`));
const cookie = `${value}.${Buffer.from(signature).toString("base64url")}`
setCookie(event, name, cookie, { httpOnly: true, secure: true, sameSite: true, maxAge });
}
@ -34,7 +34,7 @@ export async function getSignedCookie(event: H3Event, name: string) {
const value = cookie.slice(0, rightDot);
const secret = await useCookieSecret(event);
const signature = Buffer.from(cookie.slice(rightDot + 1), "base64url");
const valid = await crypto.subtle.verify("HMAC", secret, signature, Buffer.from(value));
const valid = await crypto.subtle.verify("HMAC", secret, signature, Buffer.from(`${name}=${value}`));
if (!valid)
return