[Ur] Securing sessions in Ur/Web

Matt Rice ratmice at gmail.com
Mon Jan 21 11:25:15 EST 2019


On Mon, Jan 21, 2019 at 6:00 AM Adam Chlipala <adamc at csail.mit.edu> wrote:
>
> On 1/21/19 2:22 AM, Simon Van Casteren wrote:
> > 1. Yeah after some experimentation I understood the builtin cookie
> > security mechanism is there for XSRF attacks only. That's why I made
> > my own cookie forgery protection by hashing the contents of the cookie
> > and always checking that digest when reading the cookie. I feel that
> > that is pretty safe (and much faster than always hitting the database)
> > since the only problem I can think of with that is somebody actually
> > getting a hold of the cookie itself, but once that happens you're
> > pretty much screwed anyway?
>
> You're right that this seems to be a classy use of crypto to optimize a
> protocol while maintaining security!

The json combined with a signature field does seem to also be the
approach used by ocap-ld
in the proof/signatureValue fields, so that may be worth a look as well.
https://w3c-ccg.github.io/ocap-ld/



More information about the Ur mailing list