Collaborate Disseminate
Let’s say that my user signs in and the server responds with a refresh token saved in a cookie (SameSite strict, HttpOnly, CSRF token too) and with the access token in response (saved in JS memory).
I read these guidelines in a popular Has… Continue reading Is there a downside to sending a refresh token on every request to an API?
I tried reading few articles, however I’m not able to understand the merit of POP over Bearer token. Bearer token if lost (during transit over the wire) can give the holder of the token same privileges as the genuine owner. POP token is su… Continue reading How is pop token more secure than bearer token?
In a program i am writing, i use session authentication tokens that we give back to a user to have them hand in with their requests.
This is working very well but this question is about the generated token and chance of collision.
Here is … Continue reading When generating user session tokens, should i bother checking for a duplicate?
I’m in a debate of where to securely store an OAuth 2.0 access token. There are two opinions:
On the browser (inside of a HttpOnly cookie)
On the server/inside the a database
The argument against using the cookie storage mitigating the i… Continue reading Storing an OAuth 2.0 access token
I am working on a data uploading service. The requirements for this service dictate that it is accessible publicly on the internet. I need to protect the service from abuse. The service will be shared with companies that need to upload dat… Continue reading Securing a public service with single use token (or alternative approach)
I found a Instagram Basic Display API access token leaked in a website. This token belongs to a Instagram marketing account of this website. Using my leet investigating skill, below are the information i have.
This token has 3 months vali… Continue reading Does API access token that only have access to public information need to be kept secret?
We are deploying O365 in my company (Teams, Sharepoint, Exchange online, Office suite). In order to connect outside our network (remote workers especially during this pandemic), we’ve implemented MFA with MS Authenticator and OTP with SMS…. Continue reading MFA authentication to O365 – remote workers users without mobile phone. Which secure solution?
One of the really nice articles I came across while trying to understand the various grant types in Oauth2.0 was this. The author really has done a good job at explaining quite clearly what various grant types in an Oauth2.0 flow look like… Continue reading Is access token confidentiality also ensured in the Authorization Code grant type in Oauth2.0
What is a reasonable timeframe that should be defined and enforced for access token expiry to reduce
the risk of unauthorized access?
Hackers exploited a flaw in Facebook’s code impacting its “View As” feature. Continue reading Facebook Data Breach Impacts Almost 50 Million Accounts