Collaborate Disseminate
In learning more about web security, I was thinking of hiding my tool for managing cookies for auth, but putting it in a backend "API" server, and having the frontend "web" server call out to that backend server to get/… Continue reading More secure way than sending cookies through JSON from server to server?
I am working on a web app and need to have access to a user’s salted hash email in middle-ware. The simplest way to do this, for me, would be a cookie. Since this is a salted sha256 hash, even if the cookie was stolen the hacker could not … Continue reading Can I store a salted hash (sha256) of an email in a user’s cookies? [migrated]
How can websites know if I had expired the evaluation period on them?
There are several websites on internet, which offer good services, like realistic voices. I was on a random one and tried out a text-to-speech service. This website had … Continue reading Determining if user has expired 30 days on free-trial websites? [closed]
So I had this simple script that extract’s the master key and decrypts the cookies using the master key. And it was working well last time I tested it which was a year ago.
However now when I am running it, it is producing an error, basica… Continue reading Did Google change their way of encrypting Cookies in their database? [closed]
As far as I’m aware, persistence cookies are only encrypted in transit (HTTPS), but aren’t inherently encrypted while being stored locally on the user’s device.
Assuming a certain persistence cookie can be used to fully authenticate login,… Continue reading Why aren’t persistence cookies locally stored in an encrypted state?
I have a ktor web application where the server sets a secure flag cookie over a secure connection (https) on the client’s side, once he properly logged in. This cookie is required to access the authentication protected routes and should on… Continue reading Secure flag cookies are sent on a non-secure connection
I have seen applications use both the Authentication HTTP header, as well as a cookie, or sometimes even both, to store & transmit BEARER tokens (JWT) when they send requests. For example, I am currently looking at an application where… Continue reading What are the security implications of receiving a secret (e.g. OAuth BEARER) token via cookie vs. Authorization header?
What I have understood (I guess):
Cross-origin Cookies:
Cookies set with Domain="example.com" are not sent with fetch requests from origins like hello.example2.com to mywebsite.example.com because they are different domains. How… Continue reading Understanding Cross-Domain Cookies and `SameSite` Attributes with Express.js and Third-Party Tracking
Passkeys prevent phishing, no one can make you login remotely (without exploits) and if they are hardware based and never leave the hardware, them even exploits might have a hard time getting them.
However, very simple exploits could still… Continue reading Is there an equivalent to passkeys but to prevent cookie stealing?
I am doing the PortSwigger CSRF lab, where the token is tied to a non-session cookie, the solution to this is that we set a cookie to the users’ browser through the search field which sets the search query to set cookie
and then do a POST … Continue reading cant set cookie from request to another domain, chrome third party cookies phaseout