More secure way than sending cookies through JSON from server to server?
In learning more about web security, I was thinking of hiding my tool for managing cookies for auth, but putting it in a backend "API" server, and having the frontend "web" server call out to that backend server to get/set cookies.
For example:
- FrontendA browser makes request to FrontendA server to login.
- FrontendA server calls out to BackendB server with FrontendA's cookies as JSON.
- BackendB takes cookies as JSON in request, processes them / does auth stuff, then creates "response" cookies.
- BackendB sends "response" cookies back to FrontendA server.
- FrontendA server sends writes cookies to cookie header on response, sending the cookies back properly to the FrontendA browser.
Is this insecure?
What happens when at step #2 exactly? Not really a computer / networking architecture expert to imagine this quickly.
- Browser sends cookies encrypted to backend server on say AWS.
- AWS server sends it to another PUBLIC address (say example.com/api).
- BackendB server is another AWS server, which handles it.
So it's basically 2 AWS servers communicating with cookies in an unencrypted fashion.
Should I just add some sort of encryption here? (What would be appropriate)?
Or is it infeasible that someone would be able to sniff/intercept this? Practically speaking, it seems like someone would have to be standing outside the AWS data centers to intercept the data. But wait, maybe when it's out in the ether, like radio signals, someone could pick it up and intercept the cookies?
How does this work exactly? Please simplify it for me somewhat.
Note: All public internet domains will use HTTPS.
