Cookie replay attacks happen when someone steals your cookie and uses it to pretend to be you. This guide shows how to add extra security layers \u2013 using a unique \u2018nonce\u2019 (number used once) with each login, checking the user\u2019s IP address, and setting secure flags on cookies \u2013 to make these attacks much harder.<\/p>\n
Imagine you log into your bank. Your browser gets a cookie that proves you\u2019re logged in. If someone steals this cookie, they can use it to access your account without needing your password. That\u2019s a replay attack. We need ways to make sure the cookie isn\u2019t used after it *should* be.<\/p>\n
We\u2019ll combine three techniques for better protection:<\/p>\n
Unique Nonce per Login
\nIP Address Checking (with caution)
\nSecure Cookie Flags<\/p>\n
A nonce is a random, unique number generated for each login session. We store this on the server and check it with every request.<\/p>\n
Generate the Nonce: When a user logs in successfully, create a strong random string (e.g., using a UUID).
\nStore the Nonce: Save this nonce associated with the user\u2019s session on your server-side storage (database, cache etc.).
\nInclude in Cookie: Add the nonce to the cookie data as an encrypted value.
\nVerify on Every Request: With every request that uses the cookie, decrypt the nonce and compare it to the one stored on the server for that session. If they don\u2019t match, reject the request.<\/p>\n
Example (Python\/Flask):<\/p>\n
import uuid
\nfrom flask import Flask, request, session<\/p>\n
def login(username, password):
\n # … authentication logic…
\n nonce = str(uuid.uuid4())
\n session[‘nonce’] = nonce
\n # Encrypt the nonce before storing in cookie!
\n encrypted_nonce = encrypt(nonce) # Replace with your encryption function
\n return encrypted_nonce<\/p>\n
def verify_login():
\n if ‘nonce’ not in session:
\n return False
\n cookie_nonce = request.cookies.get(‘my_cookie’) # Get cookie value
\n decrypted_nonce = decrypt(cookie_nonce) # Replace with your decryption function
\n if decrypted_nonce != session[‘nonce’]:
\n return False
\n return True<\/p>\n
Important: Always encrypt the nonce before storing it in a cookie. Never store plain text nonces.<\/p>\n
Record the user\u2019s IP address when they log in and check if subsequent requests come from the same IP. This isn\u2019t foolproof (IP addresses can change), but adds another layer of defence.<\/p>\n
Store IP Address: When a user logs in, store their IP address alongside the session data.
\nCompare on Every Request: With each request, get the current IP address and compare it to the stored one. If they differ significantly, consider rejecting the request or requiring re-authentication.<\/p>\n
Example (PHP):<\/p>\n
<?php session_start();
\nif ($_POST['login'] == 'true') {
\n # … authentication logic…
\n $_SESSION['ip_address'] = $_SERVER['REMOTE_ADDR'];
\n}<\/p>\n
if ($_SESSION['ip_address'] != $_SERVER['REMOTE_ADDR']) {
\n \/\/ IP address has changed – potential replay attack!
\n session_destroy();
\n echo 'Login session invalidated.';
\n exit;
\n}<\/p>\n
Caution: Don’t rely solely on IP addresses. Users can change IPs (mobile networks, VPNs). Use this as a *supplement* to other methods.<\/p>\n
These flags tell the browser how to handle your cookie:<\/p>\n
Secure: Only send the cookie over HTTPS connections. Essential!
\nHttpOnly: Prevent JavaScript from accessing the cookie, reducing XSS attack risk. Highly recommended!
\nSameSite: Controls when cookies are sent with cross-site requests. Set to ‘Strict’ or ‘Lax’ for better protection against CSRF attacks. Recommended!<\/p>\n
Example (Python\/Flask):<\/p>\n
from flask import make_response<\/p>\n
def set_cookie(value):
\n resp = make_response(‘Cookie Set’)
\n resp.set_cookie(‘my_cookie’, value, secure=True, httponly=True, samesite=’Strict’)
\n return resp<\/p>\n
Note: Ensure your entire site uses HTTPS for the ‘Secure’ flag to work effectively.<\/p>\n
The post Stop Cookie Replay Attacks<\/a> appeared first on Blog | G5 Cyber Security<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" TL;DR Cookie replay attacks happen when someone steals your cookie and uses it to pretend to be you. This guide shows how to add extra security layers \u2013 using a unique \u2018nonce\u2019 (number used once) with each login, checking the user\u2019s IP address, and setting secure flags on cookies \u2013 to make these attacks much […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-6005","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6005"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6005"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6005\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6005"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6005"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6005"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}