Collaborate Disseminate
The web app I’m developing makes use of the concepts of "access token" and "refresh token", even though it uses its own auth scheme.
In certain situations, the web app needs to get an "impersonation token" fro… Continue reading Refresh tokens for impersonating user credentials: how to implement them?
Our implementation for authentication works like this
User provides username/password to /login API
API returns access token and refresh token in payload
We store the access token and refresh token in session storage
After a period of tim… Continue reading "Duplicate" of Chrome Tabs causes stale tokens
Is there a way (maybe via browser extensions) to make sessions forcefully expire after a while, even if the server side is set for longer durations?
e.g. you authenticate to example.com and it starts a session that is valid for 5 hours. Yo… Continue reading (Advanced) client-side session handling in browser
My website is using session cookies (w/ SameSite=Lax, secure, httpOnly attributes) and a CSRF Token stored in localStorage. Recently I developed a teams app, which essentially loads the website through an iframe (there is no other option t… Continue reading httpOnly Session Cookies in an iframe context in the future w/o SameSite=None
I’m studying the basics of XSRF on Portswigger and I’ve completed Lab: CSRF vulnerability with no defenses with FireFox. I attempted to go a step further by completing the same lab from the terminal. However when I send a request to the se… Continue reading Unable to login to Portswigger lab website with curl or javascript [closed]
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary values like state and the redirect uri that… Continue reading OAuth2: Storing temp values in session vs database
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary values like state and the redirect uri that… Continue reading OAuth2: Storing temp values in session vs database
I have found a lot of information on creating sessions, but I am still a little confused about working with them.
For one, I am not sure how to handle updating the session on use. My understanding is that you will still have an absolute ma… Continue reading How do I handle working with/updating sessions?
We have a WordPress form that collects data on what marketing source (UTM) the user came from and upon submission, sends that UTM data to a 3rd party. Recently, a client asked me to have a web session to remember this session data for up t… Continue reading Can I set session time to 10 days without risking security issues?
I was going through this link https://medium.com/@renwa/bypass-samesite-cookies-default-to-lax-and-get-csrf-343ba09b9f2b to understand CSRF using samesite. Does that mean that the LAX+POST issue has been resolved by Chrome, which means tha… Continue reading Lax SameSite and POST (2 minute)