Improperly Stored Session Cookies – What the crates.io Team Is Doing to Fix It

This content originally appeared on HackerNoon and was authored by Rust (Technical Documentation)

Today the crates.io team discovered that the contents of the cargo_session cookie were being persisted to our error monitoring service, Sentry, as part of event payloads sent when an error occurs in the crates.io backend. The value of this cookie is a signed value that identifies the currently logged in user, and therefore these cookie values could be used to impersonate any logged in user.

\ Sentry access is limited to a trusted subset of the crates.io team, Rust infrastructure team, and the crates.io on-call rotation team, who already have access to the production environment of crates.io. There is no evidence that these values were ever accessed or used.

\ Nevertheless, out of an abundance of caution, we have taken these actions today:

1. We have merged and deployed a change to redact all cookie values from all Sentry events.
2. We have invalidated all logged in sessions, thus making the cookies stored in Sentry useless. In effect, this means that every crates.io user has been logged out of their browser session(s).

\ Note that API tokens are not affected by this: they are transmitted using the Authorization HTTP header, and were already properly redacted before events were stored in Sentry. All existing API tokens will continue to work.

\ We apologise for the inconvenience. If you have any further questions, please contact us on Zulip or GitHub.

Adam Harvey on behalf of the crates.io team

\ Also published here

\ Feature image: https://unsplash.com/photos/baked-cookies-ZS3OfU40CQU

This content originally appeared on HackerNoon and was authored by Rust (Technical Documentation)

Print Share Comment Cite Upload Translate Updates

APA

Rust (Technical Documentation) | Sciencx (2025-05-03T02:00:07+00:00) Improperly Stored Session Cookies – What the crates.io Team Is Doing to Fix It. Retrieved from https://www.scien.cx/2025/05/03/improperly-stored-session-cookies-what-the-crates-io-team-is-doing-to-fix-it/

MLA

" » Improperly Stored Session Cookies – What the crates.io Team Is Doing to Fix It." Rust (Technical Documentation) | Sciencx - Saturday May 3, 2025, https://www.scien.cx/2025/05/03/improperly-stored-session-cookies-what-the-crates-io-team-is-doing-to-fix-it/

HARVARD

Rust (Technical Documentation) | Sciencx Saturday May 3, 2025 » Improperly Stored Session Cookies – What the crates.io Team Is Doing to Fix It., viewed ,<https://www.scien.cx/2025/05/03/improperly-stored-session-cookies-what-the-crates-io-team-is-doing-to-fix-it/>

VANCOUVER

Rust (Technical Documentation) | Sciencx - » Improperly Stored Session Cookies – What the crates.io Team Is Doing to Fix It. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2025/05/03/improperly-stored-session-cookies-what-the-crates-io-team-is-doing-to-fix-it/

CHICAGO

" » Improperly Stored Session Cookies – What the crates.io Team Is Doing to Fix It." Rust (Technical Documentation) | Sciencx - Accessed . https://www.scien.cx/2025/05/03/improperly-stored-session-cookies-what-the-crates-io-team-is-doing-to-fix-it/

IEEE

" » Improperly Stored Session Cookies – What the crates.io Team Is Doing to Fix It." Rust (Technical Documentation) | Sciencx [Online]. Available: https://www.scien.cx/2025/05/03/improperly-stored-session-cookies-what-the-crates-io-team-is-doing-to-fix-it/. [Accessed: ]

rf:citation

» Improperly Stored Session Cookies – What the crates.io Team Is Doing to Fix It | Rust (Technical Documentation) | Sciencx | https://www.scien.cx/2025/05/03/improperly-stored-session-cookies-what-the-crates-io-team-is-doing-to-fix-it/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.