Catching Compromised Cookies

Slack uses cookies to track session states for users on slack.com and the Slack Desktop app. The ever-present cookie banners have made cookies mainstream, but as a quick refresher, cookies are a little piece of client-side state associated with a website that is sent up to the web server on every request. Websites use this…

Ryan Slama
12 min readadvanced
--
View Original

Overview

The article discusses how Slack automatically detects stolen session cookies to enhance user security. It details the mechanisms behind detecting session forking, the challenges faced during implementation, and the strategies employed to minimize false positives while ensuring effective detection.

What You'll Learn

1

How to detect session forking in web applications

2

Why maintaining accurate last access timestamps is crucial for cookie security

3

How to implement a two-phase cookie updating approach to enhance security

Key Questions Answered

How does Slack detect compromised cookies?
Slack detects compromised cookies by monitoring for session forking, which occurs when a cookie is used from multiple devices simultaneously. The system utilizes a last access timestamp stored in both the cookie and the database to identify discrepancies, indicating potential cookie theft.
What challenges did Slack face in cookie detection?
Slack encountered challenges such as false positives triggered by legitimate user behavior and the need for reliable cookie setting by clients. These issues required the implementation of additional measures, like IP address verification and a two-phase approach to cookie updates, to enhance detection accuracy.
What is the significance of the last access timestamp in cookie security?
The last access timestamp is critical as it helps determine if a cookie is outdated compared to the current database value. If a stolen cookie with an old timestamp is used, the system can detect that the session has been forked, thereby enhancing security against unauthorized access.
How does Slack handle false positives in cookie detection?
Slack addresses false positives by incorporating IP address checks and ensuring that the last access timestamp aligns with the stored database value. This helps differentiate between legitimate user actions and potential cookie theft, reducing unnecessary disruptions for users.

Key Actionable Insights

1
Implement a last access timestamp mechanism for session cookies to enhance security.
By tracking when a cookie was last accessed, you can identify discrepancies that may indicate cookie theft. This proactive approach allows for timely detection of unauthorized access.
2
Utilize a two-phase cookie updating process to minimize detection errors.
This method ensures that the cookie is only updated after confirming the client has successfully stored the new value, reducing the likelihood of false positives caused by network issues.
3
Regularly review and adjust session duration settings to balance security and user experience.
While shorter session durations can enhance security, they may frustrate users. Finding the right balance is crucial for maintaining user satisfaction while protecting sensitive data.

Common Pitfalls

1
False positives can occur when legitimate user actions trigger detection events.
This often happens due to discrepancies between the last access timestamp in the cookie and the database. To mitigate this, ensure that the system accounts for normal user behavior and adjusts detection logic accordingly.