Collaborate Disseminate
Will a random-generated-session-key be enough, so that I can end the usage of csrf token? The front end, will receive the token when logged in. It will be stored in «local storage» at the client’s device and check for every request to back… Continue reading No csrf token, instead sessiontokens?
I have read a number of posts of many people expressing their confusion around the extra security gained from using an access token and a refresh token to control access to a resource API.
Picking up from this post how-does-a-jwt-refresh-t… Continue reading Do we really need refresh tokens?
I want to create a server where after the user logs the server gives them a randomly generated access token that is hashed using SHA256, that I store in the database a long with an expiration date, I thought this was secure, until I rememb… Continue reading is access token using SHA256 secure?
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.
The setup: There is a client, application server and authentication server.
The client stores… Continue reading can we use access token as session cookie in browser? and how to protect it?
I’m currently working on an international marketplace website and trying to decide the appropriate timeout lengths for access and refresh tokens.
We try to do the timeouts to be as strict as possible to make it more difficult for bad actor… Continue reading Best practices for access and refresh tokens timeout lengths [duplicate]
Imagine this scenario: I have a website where the token is stored in cookies without any session validation. If I were to take this exact token and use it in another web browser, I would be logged into my own account. However, how could th… Continue reading token leak by copying cookie
I have an application that I want to secure with JWT tokens. For what I have read, the common practice is to have very short lived access tokens and very long lived refresh tokens, so that when an access token is required a refresh token c… Continue reading JWT access vs refresh tokens
RFC4122bis specifies UUID v7, a version which contains 74 bits of randomness.
Assuming I use a CSPRNG to generate the random bits: Are these UUIDs considered to be unguessable and are enough to prevent attacks such as IDOR?
Continue reading Can UUID v7 be treated as a unguessable, opaque identifier?
When I try to WinRM into a Windows host (with a tool like evil-winrm) into the and when I do qwinsta, it says "No sessions exists for *", however, when I do RunasCs.exe x x "qwinsta" -l 9 it lists out the sessions cor… Continue reading Cannot `qwinsta` during WinRM, but it works when run under `NewCredentials` logon type
I’ve been reading countless articles about login flows and what’s the best for user auth, but it’s all even more confusing now.
My scenario:
I have a simple app (capacitor spa) that has a simple username/password login. I essentially have … Continue reading Best login flow for username and password authentication