SEC-3001 security auth_error ai_generated true

Cookie tampering detected: HMAC signature validation failed for session cookie

ID: security/cookie-tampering-hmac-signature

Also available as: JSON · Markdown · 中文
85%Fix Rate
85%Confidence
1Evidence
2023-06-10First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Express.js 4.18 active
Flask 2.3 active
Django 4.2 active
ASP.NET Core 7.0 active

Root Cause

The session cookie's HMAC signature does not match the expected signature computed from the cookie data, indicating the cookie was modified by the client or an attacker.

generic

中文

会话Cookie的HMAC签名与根据Cookie数据计算出的预期签名不匹配,表明Cookie已被客户端或攻击者修改。

Official Documentation

https://expressjs.com/en/resources/middleware/session.html

Workarounds

  1. 90% success Rotate the secret key and force all users to re-authenticate by clearing session stores. For Express.js: `app.use(session({ secret: 'new-secret', resave: false, saveUninitialized: true }))` 
    Rotate the secret key and force all users to re-authenticate by clearing session stores. For Express.js: `app.use(session({ secret: 'new-secret', resave: false, saveUninitialized: true }))`
  2. 75% success Implement cookie integrity monitoring: log and alert on signature failures, then invalidate the session immediately. Example: In Flask, catch `BadSignature` from `itsdangerous` and redirect to login. 
    Implement cookie integrity monitoring: log and alert on signature failures, then invalidate the session immediately. Example: In Flask, catch `BadSignature` from `itsdangerous` and redirect to login.

中文步骤

  1. Rotate the secret key and force all users to re-authenticate by clearing session stores. For Express.js: `app.use(session({ secret: 'new-secret', resave: false, saveUninitialized: true }))`
  2. Implement cookie integrity monitoring: log and alert on signature failures, then invalidate the session immediately. Example: In Flask, catch `BadSignature` from `itsdangerous` and redirect to login.

Dead Ends

Common approaches that don't work:

  1. 40% fail

    Regenerating the secret key but not invalidating existing sessions causes all current sessions to fail, leading to mass logout, but doesn't fix the root cause of tampering.

  2. 50% fail

    Disabling signature validation entirely in development to bypass the error leaves the application vulnerable in production.

  3. 10% fail

    Some attempt to use a weaker hash algorithm like MD5 to 'fix' performance, but this reduces security and may still fail if the signature format changes.