Are HTTPCookies stored encrypted by HTTPCookieStorageStorage?

In the case of an authentiction cookie, if the cookie is not stored encrypted, it could be removed from the cookie storage and stored in the keychain. Of course it would need to be set and removed before and after sessions.


Thanks!

Replies

Are HTTPCookies stored encrypted by HTTPCookieStorageStorage?

No. However, I believe the cookie store is covered by file protection.

In the case of an authentiction cookie, if the cookie is not stored encrypted, it could be removed from the cookie storage and stored in the keychain. Of course it would need to be set and removed before and after sessions.

I’m not sure if this is a suggestion for Apple or a plan of action on your part. If it’s the former, feel free to file an enhancement request for that, although keep in mind that there’s no obvious way to identify security-critical cookies.

Please post your bug number, just for the record.

If it’s your plan of action, my only comment is that, if you know tha a specific cookie is critical to security, you might be better off manually managing that cookie rather than relying on the cookie store. That way you can make security guarantees, rather than relying on how the cookie store happens to be implemented right now.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

When it comes to authentication, the keychain is perhaps the better place...

Hi Quinn,


Thanks for your reply.


Do you consider the security provided by file protection to not be a security guarantee equal to that of the keychain?

As an alternative to storing an authentication token in the keychain, are credentials stored by
URLCredentialStorage with the .permanent persistence attributed set on a URLCredential encrypted? If so, it seems like it would be a simpler, yet equally secure, option than storing the token in the keychain.

Thanks!


Do you consider the security provided by file protection to not be a security guarantee equal to that of the keychain?

The keychain is the best place to store security-sensitive data. However, keep in mind that both the keychain and file protection support an access mode (the

kSecAttrAccessible
attribute in the keychain, the file protection mode for files), and that has more effect on the security of your data that anything else.

As an alternative to storing an authentication token in the keychain, are credentials stored by URLCredentialStorage with the

.permanent
persistence attributed set on a URLCredential encrypted?

Permanent credentials (which, btw, are only support for password-style credentials) are stored in the keychain.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"