{ "id": "security/cookie-tampering-hmac-signature", "signature": "Cookie tampering detected: HMAC signature validation failed for session cookie", "signature_zh": "Cookie篡改检测到:会话Cookie的HMAC签名验证失败", "regex": "HMAC signature.*invalid|cookie.*signature.*mismatch|tampered cookie|signature verification failed", "domain": "security", "category": "auth_error", "subcategory": null, "root_cause": "The session cookie's HMAC signature does not match the expected signature computed from the cookie data, indicating the cookie was modified by the client or an attacker.", "root_cause_type": "generic", "root_cause_zh": "会话Cookie的HMAC签名与根据Cookie数据计算出的预期签名不匹配,表明Cookie已被客户端或攻击者修改。", "versions": [ { "version": "Express.js 4.18", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Flask 2.3", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Django 4.2", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "ASP.NET Core 7.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Regenerating the secret key but not invalidating existing sessions causes all current sessions to fail, leading to mass logout, but doesn't fix the root cause of tampering.", "fail_rate": 0.4, "condition": "", "sources": [] }, { "action": "", "why_fails": "Disabling signature validation entirely in development to bypass the error leaves the application vulnerable in production.", "fail_rate": 0.5, "condition": "", "sources": [] }, { "action": "", "why_fails": "Some attempt to use a weaker hash algorithm like MD5 to 'fix' performance, but this reduces security and may still fail if the signature format changes.", "fail_rate": 0.1, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Rotate the secret key and force all users to re-authenticate by clearing session stores. For Express.js: `app.use(session({ secret: 'new-secret', resave: false, saveUninitialized: true }))`", "success_rate": 0.9, "how": "Rotate the secret key and force all users to re-authenticate by clearing session stores. For Express.js: `app.use(session({ secret: 'new-secret', resave: false, saveUninitialized: true }))`", "condition": "", "sources": [] }, { "action": "Implement cookie integrity monitoring: log and alert on signature failures, then invalidate the session immediately. Example: In Flask, catch `BadSignature` from `itsdangerous` and redirect to login.", "success_rate": 0.75, "how": "Implement cookie integrity monitoring: log and alert on signature failures, then invalidate the session immediately. Example: In Flask, catch `BadSignature` from `itsdangerous` and redirect to login.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Rotate the secret key and force all users to re-authenticate by clearing session stores. For Express.js: `app.use(session({ secret: 'new-secret', resave: false, saveUninitialized: true }))`", "Implement cookie integrity monitoring: log and alert on signature failures, then invalidate the session immediately. Example: In Flask, catch `BadSignature` from `itsdangerous` and redirect to login." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://expressjs.com/en/resources/middleware/session.html", "official_doc_section": null, "error_code": "SEC-3001", "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.85, "resolvable": "true", "first_seen": "2023-06-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }