The Why and How of MAC HTTP Cookies

How a Cookie Works

What is a MAC

  1. Message owner creates the message. MACs the message using the secret key only it knows. Appends the MAC to the message.
  2. Transmits the message with the MAC appended to some untrusted party.
  3. The message with the MAC is returned to the message owner at some point. A MAC is calculated on the untrusted message using the same secret key. The calculated value is compared with the MAC appended to the message. If the MACs match, the message is trusted.

Combining a MAC and a Cookie

String cookieValue = "Om nom nom nom";
// Mac the cookie value
String macForCookieValue = Mac.generate({value: cookieValue, secret: "server-secret123"});
// Add the "Set-Cookie" header with MAC appended to value
response.setHeader({name: "Set-Cookie", value: String.template("${cookieValue};${macForCookieValue}"));
Set-Cookie: myCookie="Om nom nom nom;yiiS9PMRhBDdDHemtZBa3Gx0hqI"
// Get the value and MAC from the request
String cookieValue = request.getHeader({name: "myCookie").split(";").first();
String macForCookieValue = request.getHeader({name: "myCookie").split(";").last();
String validMac = Mac.generate({value: cookieValue, secret: "server-secret123"});
boolean isValidMac = macForCookieValue.equals(validMac);

What About Encryption?

Takeaways

  • Use MACs as a way to verify data has not changed while passing through an untrusted medium. For example, a cookie value on a client (browser).
  • MACs do not provide confidentially. And encryption alone does not provide authentication. For confidentially+authentication use Authenticated Encryption (AE).

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Data Lakehousing in AWS

CS373 Spring 2022: Scarlett Shires, Week 7

How to randomize your book in Scrivener?

TL;DR on the AWS Lambda Security Overview

Getting Started With Competitive Programming

Leaving the Nest — The story of CitySpire development

minerstat mining tutorial #8: Profit switch with Zergpool

FreeDOS 1.3 released / Building for the 99% developers / Notepad sees first improvements since 2006

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jon Bake

Jon Bake

More from Medium

Getting Started With Axios: A Popular Promise-Based HTTP Client

Learn all about MDN Web Doc’s Newly Redesigned Website

How to Convert XLSX to JSON