Collaborate Disseminate
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.
The setup: There is a client, application server and authentication server.
The client stores… Continue reading can we use access token as session cookie in browser? and how to protect it?
I’m currently working on an international marketplace website and trying to decide the appropriate timeout lengths for access and refresh tokens.
We try to do the timeouts to be as strict as possible to make it more difficult for bad actor… Continue reading Best practices for access and refresh tokens timeout lengths [duplicate]
Imagine this scenario: I have a website where the token is stored in cookies without any session validation. If I were to take this exact token and use it in another web browser, I would be logged into my own account. However, how could th… Continue reading token leak by copying cookie
I have an application that I want to secure with JWT tokens. For what I have read, the common practice is to have very short lived access tokens and very long lived refresh tokens, so that when an access token is required a refresh token c… Continue reading JWT access vs refresh tokens
RFC4122bis specifies UUID v7, a version which contains 74 bits of randomness.
Assuming I use a CSPRNG to generate the random bits: Are these UUIDs considered to be unguessable and are enough to prevent attacks such as IDOR?
Continue reading Can UUID v7 be treated as a unguessable, opaque identifier?
When I try to WinRM into a Windows host (with a tool like evil-winrm) into the and when I do qwinsta, it says "No sessions exists for *", however, when I do RunasCs.exe x x "qwinsta" -l 9 it lists out the sessions cor… Continue reading Cannot `qwinsta` during WinRM, but it works when run under `NewCredentials` logon type
I’ve been reading countless articles about login flows and what’s the best for user auth, but it’s all even more confusing now.
My scenario:
I have a simple app (capacitor spa) that has a simple username/password login. I essentially have … Continue reading Best login flow for username and password authentication
Stateless authentication using e.g. JWT can be dangerous as they are non-revocable and can leak giving full access. But they are really flexible.
I’m considering a scenario where the issued JWT is bound to some asymmetric key pair. It coul… Continue reading CryptoKey with IndexedDB to secure stateless authentication
I started noticing this kind of token in a lot of CTF tasks from different authors:
eyJlbWFpbCI6ImVtYWlsQG1haWxib3guZG9tYWluIiwiaWQiOjN9.ZLNCAQ.MxwKVKj_dramWyfT5XxT6g9U3xk
The structure is as follows:
Payload (usually a json string). In m… Continue reading What type of token is this?
My mobile app has this (fairly common) authentication user experience:
user signs in with email and password
user is prompted to enable biometrics for faster access next time
when user returns to app after a time of inactivity
if they en… Continue reading Re-authentication with biometrics in a mobile app using access token