improve documentation regarding best practices for domain wide cookies

[joernheissler]

Hello,

Vouch Proxy relies on the ability to share a cookie between the Vouch Proxy server and the application it's protecting. Typically this will be done by running Vouch on a subdomain such as vouch.yourdomain.com with apps running at app1.yourdomain.com and app2.yourdomain.com. The protected domain is .yourdomain.com and the Vouch Proxy cookie must be set in this domain by setting vouch.domains to include yourdomain.com

VP sets the cookie on .example.net; the browser will send the cookie to every subdomain of example.net including "notprotected.example.net" and "compromised.example.net".
The (legitimate or not) operators of those subdomains can easily grab the cookie and use it to impersonate the user.
Because it's SSO, the same cookie will work for all other protected subdomains as well.

Example:

• User opens https://app1.example.net/ and logins with VP / OIDC.
• User next visits https://compromised.example.net/ and the browser sends the cookie.
• That server reads out the cookie and authenticates against https://app1.example.net/ or https://app2.example.net/

If that behaviour is by intention, it should be documented clearly: "Each and every subdomain has to fully trusted as it can easily impersonate logged in users on every other subdomain."

Or it's a flaw in the design of VP. Perhaps it's possible to change things a bit:

• Do not use domain wide cookies.
• Every protected subdomain needs its own cookie that won't work on any other subdomain.
• vouch.example.net maintains its own SSO cookie
• Example workflow:
  • User opens https://app1.example.net/
  • There is no cookie, so user gets redirected to https://vouch.example.net/
  • There is no cookie either, so user has to login through OIDC.
  • https://vouch.example.net/ sets the SSO cookie on vouch.example.net and redirects user back to app1.
  • app1 verifies the login and sets a new cookie on app1.example.net, and then redirects the user to the actual application.
  • User later visits app2.example.net. Again, there is no cookie and user will get redirected to vouch.
  • vouch sees the SSO cookie and redirects the user back to app2 which again sets a new cookie on app2.example.net and redirects the user to the app2.

https://othersubdomain.example.net/ will never receive any cookie.
https://app1.example.net/ cannot use their cookie to login into https://app2.example.net/

n.b.: I did read the security policy and wrote an email, but received no response.

[bnfinet]

@joernheissler thank you for your interest in Vouch Proxy and for raising this issue

It's a fair point. Any cookie set into a common domain (.example.net) is visible to all websites in the domain including those outside of the set of VP protected FQDNs (such as app1.example.net).

Perhaps a best practice could be documented that using a common subdomain for holding the cookie such as .vouch.example.net with protected apps at app1.vouch.example.net is preferred.

@joernheissler Would you care to work on a PR to update the documentation?

n.b.: I did read the security policy and wrote an email, but received no response.

We did receive your email but it was unsigned and came from a domain which did not serve a website or provide any sense of who was making contact. It felt a little fishy so I chose not to respond.