Collaborate Disseminate
Context
I’ve used OpenSSL to encrypt some socket communications.
I am however using some functionality from the windows API that prevents me from using OpenSSL’s opaque builtin sockets, so I am buffering through their BIO_s_mem interfaces … Continue reading Pitfalls of manual AES encryption for data transfer [migrated]
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.
The setup: There is a client, application server and authentication server.
The client stores… Continue reading can we use access token as session cookie in browser? and how to protect it?
I’m currently working on an international marketplace website and trying to decide the appropriate timeout lengths for access and refresh tokens.
We try to do the timeouts to be as strict as possible to make it more difficult for bad actor… Continue reading Best practices for access and refresh tokens timeout lengths [duplicate]
Imagine this scenario: I have a website where the token is stored in cookies without any session validation. If I were to take this exact token and use it in another web browser, I would be logged into my own account. However, how could th… Continue reading token leak by copying cookie
There is a website that uses a cookie to store the user’s session info. Let’s assume that a hacker steals a user’s cookie to gain unauthorized access to their online accounts via some vulnerability.
How backend service can prevent such kin… Continue reading Authentication that immune to cookie hijacking [duplicate]
For example, I’m signed in to my Gmail account. If I copy all data from all the places that Chrome uses (localstorage, all the cookies, all temp folders and so on) to another PC.
How does Google prevent my old session from hijacking?
Let’… Continue reading Prevent Session Hijacking with copying all metadata from a browser
Imagine you have a website, for which you have configured a proper and secure session management / login system, using first-party / session cookies. Any interaction with that website is setup in the form of a REST API, so there are no HTM… Continue reading Is there a problem with the use of HTTP cookies as auth tokens in mobile apps?
TLS 1.2 session tickets are encrypted by the server with the session ticket encryption key (STEK). This key is shared with all the servers doing TLS termination. The session ticket contains all the information the server needs to resume th… Continue reading TLS session ticket vs pre-shared key state management
Session IDs aren’t exactly secure, you can copy them from one device to another just by copying the browser’s temp files. Techniques to tell apart one device from another have existed in browsers for a while, for example this here.
Sure yo… Continue reading Why do we use Session ID cookies on the web instead of a unique device identifier?
I understand that the idea of a session was conceived originally to improve user experience with Web applications. I also understand that session implementation can introduce attack vectors if not done securely i.e., if session ID can be s… Continue reading Is Web session required for app security?