4 Replies
      Latest reply: Feb 5, 2017 2:14 PM by eskimo RSS
      mjc Level 1 Level 1 (0 points)

        In the case of an authentiction cookie, if the cookie is not stored encrypted, it could be removed from the cookie storage and stored in the keychain. Of course it would need to be set and removed before and after sessions.

         

        Thanks!

        • Re: Are HTTPCookies stored encrypted by HTTPCookieStorageStorage?
          eskimo Apple Staff Apple Staff (6,765 points)

          Are HTTPCookies stored encrypted by HTTPCookieStorageStorage?

          No.  However, I believe the cookie store is covered by file protection.

          In the case of an authentiction cookie, if the cookie is not stored encrypted, it could be removed from the cookie storage and stored in the keychain. Of course it would need to be set and removed before and after sessions.

          I’m not sure if this is a suggestion for Apple or a plan of action on your part.  If it’s the former, feel free to file an enhancement request for that, although keep in mind that there’s no obvious way to identify security-critical cookies.

          Please post your bug number, just for the record.

          If it’s your plan of action, my only comment is that, if you know tha a specific cookie is critical to security, you might be better off manually managing that cookie rather than relying on the cookie store.  That way you can make security guarantees, rather than relying on how the cookie store happens to be implemented right now.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Are HTTPCookies stored encrypted by HTTPCookieStorageStorage?
              mjc Level 1 Level 1 (0 points)

              Hi Quinn,

               

              Thanks for your reply.

               

              Do you consider the security provided by file protection to not be a security guarantee equal to that of the keychain?


              As an alternative to storing an authentication token in the keychain, are credentials stored by
              URLCredentialStorage with the .permanent persistence attributed set on a URLCredential encrypted? If so, it seems like it would be a simpler, yet equally secure, option than storing the token in the keychain.


              Thanks!

               

                • Re: Are HTTPCookies stored encrypted by HTTPCookieStorageStorage?
                  eskimo Apple Staff Apple Staff (6,765 points)

                  Do you consider the security provided by file protection to not be a security guarantee equal to that of the keychain?

                  The keychain is the best place to store security-sensitive data.  However, keep in mind that both the keychain and file protection support an access mode (the kSecAttrAccessible attribute in the keychain, the file protection mode for files), and that has more effect on the security of your data that anything else.

                  As an alternative to storing an authentication token in the keychain, are credentials stored by URLCredentialStorage with the .permanentpersistence attributed set on a URLCredential encrypted?

                  Permanent credentials (which, btw, are only support for password-style credentials) are stored in the keychain.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

              • Re: Are HTTPCookies stored encrypted by HTTPCookieStorageStorage?
                KMT Level 8 Level 8 (8,425 points)

                When it comes to authentication, the keychain is perhaps the better place...