• Top
  • New

Show HN: Secure Session Cookie Scheme Using Existing Tech

by jwally on 4/4/2024, 2:47:20 PM with 0 comments
I saw an article this morning that Google is planning on exposing an API in Chrome to tie cookies to a user's machine via public key cryptography and the TPM.

I humbly submit what I think as a much simpler approach that _should_ work across all modern browsers and can be done today:

Secure Session Cookie Scheme Using JWT and Web Crypto API

1. Key Generation and Storage:

    - Generate an ECDSA key pair using the Web Crypto API, set to 'unextractable'.

    - Store the keys in IndexedDB for persistent and secure client-side storage.

2. Initial Authentication:

    - The browser signs a message (a nonce or predetermined data) with the private key.

    - Send the signed message and public key to the server.

3. Server-Side Verification and JWT Creation:

    - Server verifies the signature with the public key.
    
    - Upon verification, create a JWT embedding the browser’s public key.

4. JWT for Subsequent Requests:

    - Browser signs the JWT with the private key for future requests.
   
    - Server verifies request signatures using the public key in the JWT.

5. Session Security:

    - Interception of JWT is not a threat without the corresponding private key.

    - The 'unextractable' key property prevents direct theft from the browser.

6. Renewal and Expiration:

    - Implement expiration for JWTs.

    - New key pairs for key rotation/renewal and repeating initial authentication process.

This approach uses cryptographic signatures and JWTs for secure sessions, significantly reducing session hijacking risks by tying authenticated requests to the possession of a secure private key in the user's browser.

These are some libraries I built to help work with WebCrypto and IndexedDB. If you'd like to contribute to them, I'd love the help and extra sets of eyes!

https://github.com/JWally/EZindexDB

https://github.com/JWally/EZindexDB