Collaborate Disseminate
Is there a way (maybe via browser extensions) to make sessions forcefully expire after a while, even if the server side is set for longer durations?
e.g. you authenticate to example.com and it starts a session that is valid for 5 hours. Yo… Continue reading (Advanced) client-side session handling in browser
My website is using session cookies (w/ SameSite=Lax, secure, httpOnly attributes) and a CSRF Token stored in localStorage. Recently I developed a teams app, which essentially loads the website through an iframe (there is no other option t… Continue reading httpOnly Session Cookies in an iframe context in the future w/o SameSite=None
I’m studying the basics of XSRF on Portswigger and I’ve completed Lab: CSRF vulnerability with no defenses with FireFox. I attempted to go a step further by completing the same lab from the terminal. However when I send a request to the se… Continue reading Unable to login to Portswigger lab website with curl or javascript [closed]
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary values like state and the redirect uri that… Continue reading OAuth2: Storing temp values in session vs database
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary values like state and the redirect uri that… Continue reading OAuth2: Storing temp values in session vs database
I have found a lot of information on creating sessions, but I am still a little confused about working with them.
For one, I am not sure how to handle updating the session on use. My understanding is that you will still have an absolute ma… Continue reading How do I handle working with/updating sessions?
We have a WordPress form that collects data on what marketing source (UTM) the user came from and upon submission, sends that UTM data to a 3rd party. Recently, a client asked me to have a web session to remember this session data for up t… Continue reading Can I set session time to 10 days without risking security issues?
I was going through this link https://medium.com/@renwa/bypass-samesite-cookies-default-to-lax-and-get-csrf-343ba09b9f2b to understand CSRF using samesite. Does that mean that the LAX+POST issue has been resolved by Chrome, which means tha… Continue reading Lax SameSite and POST (2 minute)
I am trying to work on an example for my class on how double submit cookie works and how attackers can bypass it
The idea i have is I have two domain att.com and victim.com. The login functionality on victim.com creates the session and als… Continue reading Double Submit Cookie Bypass
I am currently implementing a change-of-email request flow for a web service without MFA. My initial approach is to consult the current OWASP Guide for such a flow. In reading the document, I’ve realized this is quite different from the f… Continue reading What is the correct way to implement a change-of-email request flow?