Collaborate Disseminate
I’m designing a web-based screen sharing tool for customer support, where support agents need to view customers’ screens without requiring any software installation.
The flow I’m considering is:
Support agent generates/receives a session … Continue reading Secure session management for browser-based screen sharing support tool
I’m developing a notetaking app that will store users’ note and file data encrypted in a db and on backblaze (respectively). The app will not be end-to-end encrypted but data will be encrypted in transit (with TLS) and at rest (AES256, for… Continue reading How can I use PBKDF2 to derive an encryption key from a password and then access that key later without the password (i.e. with a cookie)?
How does one balance security and usability when using nonces on a website?
Imagine a website where the same nonce is embedded in the page, and stored in the browser session.
If I were to replace the nonce on every page load then:
The use… Continue reading Balancing security with usability when using nonce for CSRF protection
Is there an extension for Burp Pro that will allow you to do something like the following?
Alice launches Burp Suite Pro & launches its browser. Bob does the same.
Alice logs in to a website with multiple layers of MFA that neverthel… Continue reading How to transfer session between Burp browsers on different computers via IM?
I have a web application that sends this cookie after login:
Set-Cookie: ASP.NET_SessionId=55adfqwdf6qdqrgsdfg; path=/; HttpOnly; SameSite=Lax
If I theoretically steal the session ID and use it in another browser, I am immediately logged … Continue reading Is this a session hijacking vulnerability?
I have a web application that sends this cookie after login:
Set-Cookie: ASP.NET_SessionId=55adfqwdf6qdqrgsdfg; path=/; HttpOnly; SameSite=Lax
If I theoretically steal the session ID and use it in another browser, I am immediately logged … Continue reading Is this a session hijacking vulnerability?
I have a web application that uses a Version 4 UUID as the session id. If a user makes a request to my web application, he gets a new created session id. After a successful login, the session id does not change. The session id expires if t… Continue reading Attack possible on session id reuse after login?
Do browsers save TLS 1.3 session tickets on the disk to resume a TLS session after the browser process has been killed and restarted?
Are there any glaring security risks of caching TLS 1.3 session tickets on the client side? I believe th… Continue reading Do browsers like FireFox, Chrome, Opera, and Tor store TLS 1.3 session tickets on the disk?
If the SessionID is leaked/hacked by someone else and they use that SessionID to get access to the account, can we double-check whether the SessionID is used on the right device? I’m thinking of checking the device fingerprint and whether … Continue reading Besides checking whether the session ID is valid, what other things should we check in order to prevent session ID leakage? [duplicate]
I know a salt isn’t secure data that needs to be encrypted in the dB, but as its access should be controlled, is it considered safe to save it as a session variable at login for use later on different pages? Or should it be looked up in th… Continue reading Is it secure to save a salt in session variables