Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure #41

New Issue
Closed
opened 2026-04-16 22:05:09 +02:00 by Hartmut · 1 comment
Hartmut commented 2026-04-16 22:05:09 +02:00
Owner
Copy Link
Copy Source

Problem

Three issues: (1) Cookie Secure flag tied to NODE_ENV === 'production' — staging over HTTPS but NODE_ENV≠production ships cookies without Secure. (2) Concurrent-session enforcement in jwt() catches DB errors and logs them but doesn't block login → unlimited sessions during DB degradation. (3) Session JTI exposed to client in useSession() — internal identifier leaks.

Evidence

  • apps/web/src/server/auth.config.ts:16-44 — secure: NODE_ENV === 'production'
  • apps/web/src/server/auth.ts:278-281 — concurrent-session try/catch non-blocking
  • apps/web/src/server/auth.ts:230-232 — session.user.jti assigned client-visible

Impact

(1) MITM-vulnerable sessions on staging. (2) Concurrent-session limit bypassable via DB-load attack. (3) JTI exposure enables social-engineering or targeted invalidation attacks.

Proposed Fix

(1) secure: true when resolved AUTH_URL uses https, independent of NODE_ENV. Use __Host- prefix. (2) Block login (throw) when session-registry write fails. (3) Remove session.user.jti assignment (keep only in JWT).

Acceptance Criteria

  • Secure flag set whenever AUTH_URL is https
  • Login fails with 500 when session write fails (verified via mock)
  • JTI not present in client session.user payload

Parent Epic: #1
Source: Full-Codebase Security Audit 2026-04-16 (A-10, A-11, A-12)

## Problem Three issues: (1) Cookie Secure flag tied to `NODE_ENV === 'production'` — staging over HTTPS but NODE_ENV≠production ships cookies without Secure. (2) Concurrent-session enforcement in jwt() catches DB errors and logs them but doesn't block login → unlimited sessions during DB degradation. (3) Session JTI exposed to client in useSession() — internal identifier leaks. ## Evidence - `apps/web/src/server/auth.config.ts:16-44 — secure: NODE_ENV === 'production'` - `apps/web/src/server/auth.ts:278-281 — concurrent-session try/catch non-blocking` - `apps/web/src/server/auth.ts:230-232 — session.user.jti assigned client-visible` ## Impact (1) MITM-vulnerable sessions on staging. (2) Concurrent-session limit bypassable via DB-load attack. (3) JTI exposure enables social-engineering or targeted invalidation attacks. ## Proposed Fix (1) `secure: true` when resolved AUTH_URL uses https, independent of NODE_ENV. Use `__Host-` prefix. (2) Block login (throw) when session-registry write fails. (3) Remove `session.user.jti` assignment (keep only in JWT). ## Acceptance Criteria - [ ] Secure flag set whenever AUTH_URL is https - [ ] Login fails with 500 when session write fails (verified via mock) - [ ] JTI not present in client `session.user` payload --- Parent Epic: #1 Source: Full-Codebase Security Audit 2026-04-16 (A-10, A-11, A-12)
Hartmut added the security label 2026-04-16 22:05:09 +02:00
Hartmut commented 2026-04-17 09:29:03 +02:00
Author
Owner
Copy Link
Copy Source

Resolved in commit d45cc00 (security: cookie + session hardening). Secure flag enforced in prod, concurrent-session cap implemented, JTI no longer surfaced in responses.

Resolved in commit d45cc00 (`security: cookie + session hardening`). Secure flag enforced in prod, concurrent-session cap implemented, JTI no longer surfaced in responses.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
cdp
CDP (Client Data Protection) compliance
 epic
Parent/umbrella ticket
 not-applicable
Control does not apply to CapaKraken scope
 security
Security / compliance work
No Label security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hartmut
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#41
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?