DEV Community

Cover image for My idea about hardening the cookie storage
Alice 🌈
Alice 🌈

Posted on

My idea about hardening the cookie storage

The thing about cookies is that they usually contain a lot of sensitive session keys which are basically temporary passwords to the websites you visit.

And if i recall correctly, cookies are stored in an sqlite database somewhere (at least for Firefox)

The thing is that an attacker could've just easily downloaded that file to their computer, and then extract the cookie data from the sqlite database.

Doesn't sound very good, huh? Welp, my idea is to apply a few measures in order to protect against this kind of attack.

  1. Hash the site names with something like yescrypt, preferably with a browser-specific salt. Maybe use the fingerprint or the user agent as a salt? Although i despise fingerprints overall, this is a pretty good place to use them.
  2. Encrypt the cookie content with the site's name.
  3. Then preferably encrypt the whole database using the fingerprint or the user agent. Wouldn't really stop anyone smart, but i think its a good measure.

That's pretty much it. The whole idea. Perhaps the same principle would be applicable to local and session storages.

Personally, i think that it is infurious that since cookies are basically passwords (probably even more sensitive than passwords), they are stored in pretty much just a text file.

Top comments (2)

Collapse
 
phlash profile image
Phil Ashby

Interesting thoughts, thank you 🙏

If I understand correctly, you are suggesting 'locking' or 'fencing' session cookies such that they are associated with the browser / user / machine to prevent their re-use from elsewhere if stolen?

I have come across a few schemes that use similar approaches, usually associating session cookies with something like the IP address of the browser (may be too intrusive), or it's geo-IP location (common for online shops/banks/payment-processors), as an IP address is difficult to fake while still having a working connection! For example, when my payment card provider gets a request from a store for payment (usually via the 3D secure mechanism), they will check my geo-IP and if I am not in a well-known (previously seen) location, I will have to use a 2nd factor to authorise the payment.

Regarding stealing cookies:

  • if an attacker has file level access to your cookie store, you have bigger problems!
  • Cross-site scripting / supply-chain injection attacks are the most common way to steal cookies, in which case the website host has a problem that needs fixing. If they are doing 'important' things like payment processing they may be subject to regulation that requires testing and fixing such vulnerabilities (like PCIDSS). This should reduce likelihood of such attacks being successful!
Collapse
 
alice58 profile image
Alice 🌈 • Edited

Basically yeah, just making it harder to read the cookies. Not exactly impossible, but definetely way harder

Also I agree, if someone has file level access to the cookies its a whole other story.
Thing is I usually see people leave their computers unlocked for long periods of time when they go anywhere.
It would take less than 15 seconds to install a lightweight backdoor that would give access to the user-space fs, not even talking about fishing attacks like "Linkin Park - Numb.mp3.exe"

Since XSS and higher-level attacks are the websites' duty to care about, I wouldn't pay much attention to it since we are talking about browser development