Skip to content

Secure EPP session cookies with HMAC-SHA256 signatures#3118

Open
CydeWeys wants to merge 1 commit into
google:masterfrom
CydeWeys:fix-unsigned-session-cookies
Open

Secure EPP session cookies with HMAC-SHA256 signatures#3118
CydeWeys wants to merge 1 commit into
google:masterfrom
CydeWeys:fix-unsigned-session-cookies

Conversation

@CydeWeys

@CydeWeys CydeWeys commented Jun 29, 2026

Copy link
Copy Markdown
Member

Remediate EPP Session Hijacking (A.2.1) by cryptographically signing and verifying the stateless SESSION_INFO cookie using HMAC-SHA256:

  • Add a new Dagger-provided sessionSecret configuration parameter.
  • Add public String sessionSecret field to RegistryConfigSettings.Misc and a default placeholder value in default-config.yaml.
  • Inject the session secret key into EppTlsAction and pass it to the CookieSessionMetadata constructor.
  • Refactor CookieSessionMetadata to format the cookie value as Base64(payload) + "." + Base64(HMAC-SHA256(payload)).
  • On instantiation, verify the signature using the session secret key and reject modified or unsigned cookies to prevent session spoofing.
  • Add test coverage in CookieSessionMetadataTest.java to sign mock cookies, verify saved cookie signatures, and reject forged signatures.

TAG=agy
CONV=610c2358-a99f-4605-94cd-ff0d4ee08176


This change is Reviewable

Remediate EPP Session Hijacking (A.2.1) by cryptographically signing
and verifying the stateless SESSION_INFO cookie using HMAC-SHA256:
- Add a new Dagger-provided sessionSecret configuration parameter.
- Add public String sessionSecret field to RegistryConfigSettings.Misc
  and a default placeholder value in default-config.yaml.
- Inject the session secret key into EppTlsAction and pass it to the
  CookieSessionMetadata constructor.
- Refactor CookieSessionMetadata to format the cookie value as
  Base64(payload) + "." + Base64(HMAC-SHA256(payload)).
- On instantiation, verify the signature using the session secret key
  and reject modified or unsigned cookies to prevent session spoofing.
- Add test coverage in CookieSessionMetadataTest.java to sign mock
  cookies, verify saved cookie signatures, and reject forged signatures.

TAG=agy
CONV=610c2358-a99f-4605-94cd-ff0d4ee08176
verifyAndDecodeCookie(cookieValue, sessionSecret);
if (sessionInfoOpt.isPresent()) {
String sessionInfo = sessionInfoOpt.get();
logger.atInfo().log("SESSION INFO: %s", sessionInfo);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants