Better security - Session ID in cookies vs. Encrypted cookie

Question

Debating these two methods of storing session data:

• https://github.com/mozilla/node-client-sessions (Store all session data in the cookie and encrypt it)
• https://github.com/expressjs/session (Session ID in cookies and use database to store session data)

Not sure which is more secure because after reading a little about the internals of node-client-sessions, there are a lot of potential attack vectors that need to be accounted for, and I'm not sure how much they account for. For example, they account for a timing attack by using a constantTime algorithm in one place. But there are many more potential vulnerabilities, and not being an expert I can't tell how well done it is as a library.

On the other hand, I have seen people say storing session id in the database is a no go. But at least here you could black list the session id.

Any advice or guidance would be greatly appreciated. Thank you.

Answer 1

The security difference will mostly be in the implementation details. Fundamentally both approaches are the same: you store a blob of data which is meaningless to the client on the client to preserve some state between requests. The difference is that session id cookies are in themselves meaningless because they do not represent any meaningful information, while the encrypted cookie is meaningless because the client does not possess the ability to decrypt the data.

Encrypted cookies are fundamentally more complex: they're larger in size, they require a complex algorithm, they require that algorithm to be correctly implemented, they do contain actual data and are thereby worth attacking, they do require the management of a secret key. They're also harder to revoke due to their decentralised nature.

Session id cookies are plain simple: a meaningless random id merely referring to data stored elsewhere. The only vulnerability* is guessability, which is easy enough to prevent by increasing the length and rotating and expiring ids. I have no idea why storing session ids/data in a database would be a bad idea in any way; as long as the database is secure, there's no issue there. If your data store is prone to attacks, you have bigger issues than where your session data is stored.

(* Aside from outright hijacking, which is the same vulnerability for all cookies, and implementation specific flaws like accepting undefined session ids etc.)

Given that, you need to decide whether the increased attack surface of encrypted cookies is worth the benefits of stateless servers, and whether you trust the implementation of the encryption. For high scalability I would seriously look into it, for small-scale services I would keep it as simple as possible.

Answer 2

Given that i just asked a question on crypto, i wouldn't peg me as an expert but:

a) If appropriately encrypted then the data in the cookie should be fine...

• You are, at the end of the day storing the data on the end users machine. Not so great for shared machines but you can argue that the algo is most likely strong enough
• If it's lots of data, you're transferring it to and fro with every page load, so you could slow down your application.

b) If you're using an SSL connection, a session ID should also be fine (with the appropriate length)

• Regen session keys
• Depending on your application, you can minimise the viewing of personal data. e.g. If you use the session to keep track of a users progress but don't present their information back to them (via the session), this could arguably be more secure.