Amazon Cookie Reuse

Date: Tue, 16 Apr 2013 10:11:36 -0400
Subject: Re: Cookie Invalidation Problem
From: AWS Security <aws-security@amazon.com>
Sender: "Jackson, Matthew" <mjack@amazon.com>
To: Craig Young
CC: AWS Security <aws-security@amazon.com>
Message-ID: <CD92D25E.16782%mjack@amazon.com>
Thread-Topic: Cookie Invalidation Problem
In-Reply-To: <CD8C2A33.15D8B%mjack@amazon.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="B_3448951899_14425343"

--B_3448951899_14425343
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Hi Craig,

Thank you for reporting this issue to the Amazon Web Services (AWS) Security
Group.  We take all reports of security issues seriously and thank you for
sending it to us. Our investigation shows that this is currently working as
designed however we are always looking for new opportunities to serve our
customers better.

Please note that the data stored in AWS's authentication cookies are not
valid indefinitely (regardless of the expiration date on the HTTP Cookie
header), and therefore captured cookies do not allow permanent access to
customer accounts. Further, if malware compromises a browser being used to
access the AWS Management Console, it can already surreptitiously perform
actions under the customer's identity and can block the logout function. The
ability to steal limited-lifetime authentication cookies does not present a
particularly greater attack surface.

We encourage customers concerned about the locations used for administrative
access to AWS to use IAM users configured with least privilege, and to
optionally restrict the source IP address from which those users can
interact with AWS. This would further mitigate the risk of an authentication
cookie being stolen from a customer browser and used from a different
location.

We hope this addresses your reported issue, and thank you again for
contacting AWS Security!

Sincerely,
Matt
AWS Security
https://aws.amazon.com/security