Application Cookies

1 General Consideration

The application uses cookies for authentication or in order to supply data to upstream.
Authentication cookies are cookies with random names and random content.
Cookies which supply data to upstream are cookies having a name which can be adjusted.

All application cookies are HttpOnly. The expiry date of the cookies varies based on the type of cookie, user option and the settings from section auth_setup (mainly auth_setup -> remember_me_validity_ms).
Special prefixes may be applied globally to all the cookies generated by the application as follows:

  • __Host- special prefix may be applied only if: 
    {
    "cookie": {
        "secure": true,
        "domain": "",
        "path": "/"
    }
}
  • __Secure- special prefix may be applied only if: 
    {
    "cookie": {
        "secure": true
    }
}

2 Authentication Cookies

The cookies used for authentication have random names and random content, both changing when renewed as per settings. This approach makes the authentication extremely secure and by comparison more secure than other applications and platforms.

3 Data Cookies

The cookies used to deliver data to upstream have static names which can be adjusted by the developer.

At the moment the application uses two types of data cookies:

  1. Application Status cookie: the contents of this cookie indicates a special status of the application such as in-progress Multi-Factor Authentication (MFA).
    This cookie cannot be eliminated because it is critical for MFA procedure and other planned features.
    The default name of application status cookie is bFZTex31NBtbdrZW.
  2. User Details cookie: contains non-sensitive users details which may be useful when showing menus, composing greetings, handling private caches and others. These details are: account rank, username, firstname, avatar, gender, subscribed to newsletter and subscribed to promotions.
    The default name of user details cookie is OUzZX07UAvPNehZA.

These cookies provide encoded data as Json Web Tokens (JWTs).
The keys used to sign and unsign the contents of these JWTs can be changed. These custom keys must be placed at /etc/cmd-auth/certificates/jwt-cookies/private.key and /etc/cmd-auth/certificates/jwt-cookies/public.key. At the moment please use only algorithm RS256.
The default or custom /etc/cmd-auth/certificates/jwt-cookies/public.key must be used when unsigning the JWTs upstream.

You can quickly generate your own keys as follows:

cd /etc/cmd-auth/certificates/jwt-cookies || exit 1
mv ./public.key ./public.key.bak
openssl genrsa -out ./private.key 2048
openssl rsa -in ./private.key -out ./public.key -outform PEM -pubout
chmod 0400 ./private.key ./public.key

4 Application Settings for Cookies

The following application settings are used when handling cookies (default values given):

{
    "cookie": {
        "secure": true,
        "domain": "",
        "samesite": "Strict",
        "path": "/",
        "prefix": "",
        "status_cookie_name": "bFZTex31NBtbdrZW",
        "user_details_cookie_name": "OUzZX07UAvPNehZA"
    },
    "auth_setup": {
        "remember_me_validity_ms": 31536000000
    }
}
Add Your Question
FAQs