Security Considerations To Account for When Redirecting From Microservice to Another
Information Security Asked on January 20, 2021
I am evaluating the above service design where I want to have mechanism to pass a user through multiple microservices. In this simple example, the user goes through a sign-up process and once done, the user is redirected to another microservice (B).
The session-id for microservice A is stored in a session store. However, when the user is redirected to microservice B then a new session-id is generated by microservice B and so this is stored as well in the session store.
This allows the user to traverse back and forth between microservices. Are there any security implications with this design?
One Answer
The biggest possible security implication I can see with the details presented is that you might accidentally DoS your visitors if every individual service has its own session, and therefore session cookie. Once you hit the cookie limit (typically 4096 bytes), browsers will start ignoring cookies, possibly arbitrary ones, and that will cause sessions to start being dropped.
Another possible vulnerability is that if you have to examine multiple sessions in order to do work, it's possible that a malicious user might send a large number of different session ids, real or otherwise, and force your services to examine each one, which at best would cost CPU cycles (and thus money), and at worst cause a wider system DoS.
Both of these would be mitigated by only having a single session for the user.
Answered by Mike Caron on January 20, 2021
Add your own answers!
Related Questions
What are the risks of using TLS 1.0 for web applications?
2 Asked on October 28, 2021 by stone-true
Why should browser security be prioritized?
8 Asked on October 28, 2021
Does having Frontend and Backend on the same port any consequences?
2 Asked on October 28, 2021 by kepotx
Jenkins malicious process identification
2 Asked on October 28, 2021 by nemanja-martinovic
Is there a vulnerability in subdomain redirection, similar to Open Redirect
2 Asked on October 28, 2021 by tomi-begher
Does encrypted content in a database need to be signed?
1 Asked on October 28, 2021 by ian-warburton
If I am using a VPN with allowed multiple connections can each user/device be able to view traffic of the other user?
2 Asked on October 28, 2021 by alehandro
man in the middle session management vpn vulnerability assessment
What, if anything, are the consequences of temporarily enabling and then disabling WebRTC in Firefox?
0 Asked on October 28, 2021
Is the perfect MITM attack possible?
1 Asked on October 28, 2021 by user238715
Why did “terminal commands” never get a version of SQL “parameterized queries”?
4 Asked on October 28, 2021 by m-vencel
What attack vectors does arbitrary JS on a user profile allow?
2 Asked on October 28, 2021 by sellarafaeli
How safe is opening any website on new browser tab?
3 Asked on October 28, 2021 by nkl
account security data leakage encryption passwords web browser
Processing Exceptionally High Volume Singular Flows
1 Asked on March 9, 2021 by reedghost
MAC address of router changes when i connect to VPN
1 Asked on March 3, 2021
Ask a Question
Get help from others!
Recent Questions
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?
- Does Google Analytics track 404 page responses as valid page views?
Recent Answers
- Peter Machado on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Jon Church on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?