session management – WindowsTechs.com

How can I use PBKDF2 to derive an encryption key from a password and then access that key later without the password (i.e. with a cookie)?

Posted on October 5, 2024 by perite

I’m developing a notetaking app that will store users’ note and file data encrypted in a db and on backblaze (respectively). The app will not be end-to-end encrypted but data will be encrypted in transit (with TLS) and at rest (AES256, for… Continue reading How can I use PBKDF2 to derive an encryption key from a password and then access that key later without the password (i.e. with a cookie)?→

Balancing security with usability when using nonce for CSRF protection

Posted on September 10, 2024 by Gili

How does one balance security and usability when using nonces on a website?
Imagine a website where the same nonce is embedded in the page, and stored in the browser session.
If I were to replace the nonce on every page load then:

The use… Continue reading Balancing security with usability when using nonce for CSRF protection→

How to transfer session between Burp browsers on different computers via IM?

Posted on September 3, 2024 by Bitbang3r

Is there an extension for Burp Pro that will allow you to do something like the following?

Alice launches Burp Suite Pro & launches its browser. Bob does the same.

Alice logs in to a website with multiple layers of MFA that neverthel… Continue reading How to transfer session between Burp browsers on different computers via IM?→

Is this a session hijacking vulnerability?

Posted on August 30, 2024 by Jozko Mrkvicka

I have a web application that sends this cookie after login:
Set-Cookie: ASP.NET_SessionId=55adfqwdf6qdqrgsdfg; path=/; HttpOnly; SameSite=Lax

If I theoretically steal the session ID and use it in another browser, I am immediately logged … Continue reading Is this a session hijacking vulnerability?→

Is this a session hijacking vulnerability?

Posted on August 30, 2024 by Jozko Mrkvicka

I have a web application that sends this cookie after login:
Set-Cookie: ASP.NET_SessionId=55adfqwdf6qdqrgsdfg; path=/; HttpOnly; SameSite=Lax

If I theoretically steal the session ID and use it in another browser, I am immediately logged … Continue reading Is this a session hijacking vulnerability?→

Attack possible on session id reuse after login?

Posted on August 28, 2024 by GangSTARclown

I have a web application that uses a Version 4 UUID as the session id. If a user makes a request to my web application, he gets a new created session id. After a successful login, the session id does not change. The session id expires if t… Continue reading Attack possible on session id reuse after login?→

Do browsers like FireFox, Chrome, Opera, and Tor store TLS 1.3 session tickets on the disk?

Posted on June 20, 2024 by vibhav950

Do browsers save TLS 1.3 session tickets on the disk to resume a TLS session after the browser process has been killed and restarted?
Are there any glaring security risks of caching TLS 1.3 session tickets on the client side? I believe th… Continue reading Do browsers like FireFox, Chrome, Opera, and Tor store TLS 1.3 session tickets on the disk?→

Besides checking whether the session ID is valid, what other things should we check in order to prevent session ID leakage? [duplicate]

Posted on June 18, 2024 by blamm01

If the SessionID is leaked/hacked by someone else and they use that SessionID to get access to the account, can we double-check whether the SessionID is used on the right device? I’m thinking of checking the device fingerprint and whether … Continue reading Besides checking whether the session ID is valid, what other things should we check in order to prevent session ID leakage? [duplicate]→

Is it secure to save a salt in session variables

Posted on June 12, 2024 by Èl Sea

I know a salt isn’t secure data that needs to be encrypted in the dB, but as its access should be controlled, is it considered safe to save it as a session variable at login for use later on different pages? Or should it be looked up in th… Continue reading Is it secure to save a salt in session variables→

NTRU – How is the master key and session key generated?

Posted on June 10, 2024 by Chris Lo

I am learning the PKC topics and would like to understand about the master and session key generation process regarding NTRU.
Let’s make it a scenario, if a user wants to register during the registration process, the information obtained f… Continue reading NTRU – How is the master key and session key generated?→