Is passing cookie value from server to client a dangerous practice?
Unanswered
Order posted this in #help-forum
OrderOP
I am using Lucia auth in combination with nextjs and an additional Express server that hosts a socket.io connection for real-time chat. My application is fully protected and is mostly server-side up until the point where the user enters a chat room. I've even protected the database fetching so that no random user can fetch a conversation they're not apart of however I'm really struggling with protecting the socket.io server from a potentially malicious user sending a message in an unauthorized conversation. The reason for this is because to connect to my socket.io server the component that connects to it needs to be a client component. So Lucia uses a database session for authentication and the session id is stored in the cookie. What I'm doing right now is sending the cookie value from a parent server component to the socket io client component via props and it's sending the cookie value to the express/socket io server. Then on the socket io server the cookie value is being checked against the database and if the session exists and it corresponds to one of the users in the conversation the user can connect to the socket. I genuinely don't know how else I'd get that value and I'm wondering since the cookie value containing the session being exposed on the client side is bad and if it is what I can do to fix that?
8 Replies
Saint Hubert Jura Hound
Cookies are always stored in the browser. The server can access them but doesnt store them.
Theres no way to get around sending cookies to the client. The client needs them to access resources like ur socketio server. They are safe to use and send to the client (over https) and its always assumed the client is trustworthy. Cookies can be stolen though (mitm attacks or direct access to a clients system for example) which is why theyre refreshed often.
Theres no way to get around sending cookies to the client. The client needs them to access resources like ur socketio server. They are safe to use and send to the client (over https) and its always assumed the client is trustworthy. Cookies can be stolen though (mitm attacks or direct access to a clients system for example) which is why theyre refreshed often.
There should be some info here abt security but traditionally cookies have always been stored on the client
OrderOP
The issue I'm running into is that I can't read the cookies in my client component itself, however I can read them in a parent server component and then I'm passing the value of the cookie down as a raw string to the client component. That's what's sketchy (or is it?)
OrderOP
Okay to add to what I've said, the reason I can't access the cookie with any package via the client is because the cookie is http only
Saint Hubert Jura Hound
Okay it being a httponly cookie makes things a lil more difficult. Maybe this will help?
https://maxschmitt.me/posts/next-js-http-only-cookie-auth-tokens
https://maxschmitt.me/posts/next-js-http-only-cookie-auth-tokens
Saint Hubert Jura Hound
Im not familiar with lucia but if the cookie doesnt contain sensitive data it should be safe to be sent to the client. U could also maybe parse the session id and send that to the client comp to validate the session on the socketio server?
Then u dont have to send along the whole cookie value to the client