

Old Cookies Die Hard (2013) - krn
https://wtfuzz.com/blogs/old-cookies-die-hard/

======
jrochkind1
This is a good vulnerability to be aware of, but the OP is probably wrong
about "server maintains the authentication cookie" \-- what's probably going
on is that the servers simply don't maintain state at all, the cookie alone
has the state, so replaying the cookie will always work.

Just about any Rails app using the default cookie-stored sessions will behave
the same. Not because the server is "maintaining the authentication cookie",
but precisely because the server is maintaining no state at all, it's all in
the cookie (which in the latest versions of Rails is by default encrypted and
signed, to prevent snooping or tampering -- but that doesn't prevent replay).

I think most people set cookies https only, figure they can't therefore be
sniffed, and don't worry about it.

If you wanted to deal with it, still without maintaining session state on the
server, I guess the best thing to do would be to put a timestamp in the
cookie, and refuse to honor 'old' cookies? That still wouldn't make the cookie
invalid as soon as someone pressed 'logout', and would be tricky with intended
'long lived stay logged in' cookies.

Eliminating server session state can make things (especially scaling) a lot
simpler. I think it's probably good enough to https-only your cookies and call
it a day. No?

------
smilepet_26
Very good analysis about cookie in such extremely popular websites but it
turns out that they are not having proper security measures in place to
protect users confidentiality. Very pathetic. This is why, some sites like
OSIpage ([http://www.osipage.com](http://www.osipage.com)) requires both
password+security code combination for additional security and does not rely
on session cookies.

~~~
dogma1138
Not sure if a scam click bait or not, but damn man 1996 called it wants it's
web pages back...

------
rblatz
This seems to imply that servers are saving a copy of the cookie on their end.
But in reality it's more like dropping a cookie with enough information in it
to uniquely identify the user. It then encrypts and signs the cookie. If the
server can decrypt the cookie and the signature is valid it knows that this is
a valid auth cookie.

------
PhantomGremlin
I just don't understand why people are so determined to preserve their
cookies. It's so easy to get rid of them.

I set Firefox to "Clear history when Firefox closes", and make sure that
includes cookies (the only thing I don't routinely clear is "Browsing &
Download History"). I exit Firefox at least once a day. Other browsers make it
nearly as easy. E.g. Safari has a menu entry "Reset Safari ...". Voila, no
stale cookies.

Is it really that difficult to exit a browser once a day? Of course, I don't
keep dozens of tabs open, so maybe it's easier for me than for people who have
adopted a different browsing methodology.

Is it really that difficult or time consuming to log in to a website once a
day? I prefer to, I never reuse passwords across sites, so this way I keep all
my different passwords fresh in my mind.

