session-fixation – Page 6 – WindowsTechs.com

How to avoid session fixation (Login CSRF) by MitM attack without HSTS?

Posted on September 3, 2014 by Mikko Rantalainen

I’m writing a web app that already uses TLS encrypted connections (HTTPS), Secure; HttpOnly session cookie, HMAC-SHA1 CSRF token, requires correct Referer header to avoid Login CSRF and changes session id during login to avoid basic sessio… Continue reading How to avoid session fixation (Login CSRF) by MitM attack without HSTS?→

Posted on May 15, 2013 by chotchki

I am looking at how to secure a web site against getting its session cookie stolen. These are the controls that I know are widely known/used:

HTTPS Everywhere
Only use a securely created random string for the cookie value
Mark the sessio… Continue reading Session Cookie Stealing Protection→

Posted on April 6, 2013 by F21

I have been reading about cross-subdomain cookie attacks here.

A quick overview of how it works (from Wikipedia):

A web site www.example.com hands out subdomains to untrusted third parties
One such party, Mallory, who now controls evil…. Continue reading Protecting against cross-subdomain cookie attacks→