Cenzic 232 Patent
Paid Advertising
web application security lab

Cookie Expiration

14 posts left…

Day 1 at the OWASP conference in Irvine. Lots of good people here, and tons of good conversations. Talking with Jeremiah from Whitehat and Sid Stamm from Mozilla reminded me that I wanted to talk about cookie expiration. I’m only talking for myself here, and not the average user - but I really dislike the concept of persistent cookies. If I wanted something to persist, I wouldn’t use sandboxes, and violently and regularly clean my cookies by hand. Yet still - cookies persist way too long. Realistically there’s two types of attacks that involve the persistence of cookies. The first is a drive by opportunistic exploit - let’s say you’re on a porn site and it forces your browser to visit MySpace or Facebook and because you’re probably logged in, boom, your compromised via CSRF or clickjacking or whatever. The second is where the attacker knows you’re logged in because they’re attacking you through the very platform that they intend to compromise (likejacking is a good example).

Although we can’t do much about the second case, the first case it comes down to cookie expiration in large part. Why should a browser hold onto a cookie just because the site told it to? If I’m not actively sending requests to the site in question there’s a good chance I don’t want my browser to send cookies after X amount of time. In my case, X is probably an hour or two max (considering I take lunches). Maybe some people would argue that they don’t want to be hassled by typing their webmail password in more than once per day. Okay, fine, but the point is the magic number probably isn’t once every two weeks, or once a month or once every 20 years, for most security people (I’d hope). So perhaps we need to consider a default mechanism for timing cookies out when they’re not actively being sent to the server, regardless of what the server wants. Incidentally, Sid thinks this would make a good addon. Takers?

7 Responses to “Cookie Expiration”

  1. austin Says:

    wow i just ASSUMED that was an option. it seems such common sense that i dont know why its not.

    as a developer i use persistent cookies because the people who use my site dont like to have to keep putting in their password. ideally i suspect they wouldnt like to put in a password at all (but thats not going to happen) so rather than divine how often my users would like to be forced to log in, i just make them persistent.

    but the ability for them to set the expire date manually would be great.

  2. anonymouse Says:

    have you looked at same-origin cookie proposal that some people have ?

  3. Utills Says:

    Instead of “Expiration” how about Cookie Suspension?

    I can’t think of too many sites that would require use within an iFrame for example and so if there are no active tabs using the cookie, it should be suspended until such a website is visited that uses the cookie on the main page (i.e. address bar based).

    This doesn’t prevent the case where an untrusted site redirects the whole page to Facebook or Twitter or pops up another page as that would re-enable the cookie in this case. For this you’d have to have a mechanism for the browser to only let trusted sites* redirect to cookie owned sites.

    *how do you judge what a trusted site is?

  4. Wornstrom Says:

    Or have a notification message, like NoScript uses, asking if you want to send cookies?

  5. Richard Says:

    No addon needed. This is a standard feature of Firefox (since version 0.8 in 2003). Just set network.cookie.lifetimePolicy to 1, 2 or 3 depending on your needs. Hint for RSnake: google before you blog. ;-)

    See also:
    http://kb.mozillazine.org/Network.cookie.lifetimePolicy
    http://mozilla.gunnars.net/firefox_help_firefox_cookie_tutorial.html

  6. RSnake Says:

    @Richard - I asked the Mozilla security team - I figured they’d know. But I don’t want anything for “days” - I want it for hours. I’ll have to see if it takes decimals. Also, this doesn’t take into account use or not use, so either way it’s not what I want. But still interesting. Thanks for the links.

  7. MustLive Says:

    RSnake

    Nice conception (especially if to allow users to set lifetime of cookies precisely - up to hours or minutes). But in Mozilla and Firefox there is such functionality already for many years (and other browser vendors need to make similar in their software), as Richard mentioned. And it’s not only available in about:config, but also via GUI of the browser (in Preferences).

    These options allow to set only days for cookie expiration (hours not supported). And it’s global options, there are no possibility to set per site settings for cookie expiration. And in old Mozilla the GUI allows to set days, but it’s not possible in Firefox (so about:config must be used).

    So this conception can be made more comfortable in Firefox, if to make all above-mentioned improvements. It can be made or in addon for browser, or in browser itself.

    likejacking is a good example

    Nice name for hijacking of “likes” :-).

    14 posts left…

    First think about people who read your site, before stop posting ;-). Remember, that there are people who read it (and they want to continue read your new posts).