TransWikia.com

Is it safe to store session state of different apps in single Redis cluster?

Information Security Asked on October 28, 2021

We have "web app as a service" offering. And right now each app has its Redis which stores session data.

Is it secure if we use one redis cluster for all clients using this app.
To be clear not users of a single app, multiple different apps used by multiple users.

EDIT:
I should not use cluster term here. The basic idea is that I want to use single cluster for session store for multiple different web apps that are independent one from another.

Similar like we use database for multiple independent databases.

2 Answers

Such a configuration would only be as secure as the least secure webapp connecting to the Redis server.

Redis primarily runs as a single-threaded server operating with a bunch of "databases" that effectively act as namespaces to perform separation of data such that keys don't collide. Unfortunately for us, these namespaces don't give us any ability to control who can access them so anyone who can access one namespace can access all of them.

Therefore, any application can see any other application's full Redis state (the KEYS command can help here) so long as they're on the same cluster/server. As such, you will always be mixing states of differing applications even if you're using different databases and other key-naming best practices.

Assuming all of the applications are perfect, then you should be fine to do this. Applications themselves probably won't poke into other applications' states and won't (accidentally) clobber each other's states or in-cache data.

However, we can't assume applications are perfect. If any of the applications connected to that server get compromised, an attacker can (potentially easily) dump all keys for the current namespace, dump other namespaces, and effectively read whatever they want. It's relatively unlikely that an attacker will know to do this, but it's better not to find out.

For security (and performance), it's often better to run a dedicated Redis instance per application. Redis is light enough that such a configuration shouldn't be too much of a load on any given server infrastructure.

Answered by Kaz Wolfe on October 28, 2021

Is it secure if we use one redis cluster for all clients using this app

The cluster will get you:

  • The ability to automatically split your dataset among multiple nodes.

  • The ability to continue operations when a subset of the nodes are experiencing failures or are unable to communicate with the rest of the cluster.

This makes the risk related to availability from CIA triad less. But, if the vulnerability/weakness exists with the application operating on database cluster or If the port accepting connection for redis is out in open, then the database consisting the data of multiple user for separate application may compromise. Also make sure you follow security advisory for the scaling, for example, if you are using twitter's nutcracker for horizontal scaling, make sure you go through security advisory.

Answered by Arpit Rohela on October 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP