Collaborate Disseminate
My website is using session cookies (w/ SameSite=Lax, secure, httpOnly attributes) and a CSRF Token stored in localStorage. Recently I developed a teams app, which essentially loads the website through an iframe (there is no other option t… Continue reading httpOnly Session Cookies in an iframe context in the future w/o SameSite=None
I am building a pure client-side app.
My users have a .kdbx vault stored in localStorage, and they can open it with a password.
In order to add a biometric\quick open feature into the app I thought about creating a Webauthn entry and stori… Continue reading storing user hashed password into webauthn id
I’m working on a web application where a user gains access by clicking on a magic link sent to them by an internal co-worker. Upon clicking this link, the user is automatically authenticated and a session cookie is established to maintain… Continue reading Are JWT’s needed when implementing passwordless magic link authentication?
I would like to analyze the authentication function of a given GWT web application. When authenticating with my credentials, I could identify that my credentials are sent via websocket in form of a binary blob. This most certainly is a ser… Continue reading GWT: Deserialize objects sent/received via websocket
I’m implementing a refresh-token rotation mechanism. For the sake of simplicity in implementing the frontend I would like to remove the need for requesting a new access token when an old one expires.
The idea I have goes:
User logs in via… Continue reading Refresh-token rotation without additional frontend requests
I have a problem deciding what is the most secure method to send a login request with a username and password strings, I understood that PATCH is less secure than PUT while both are less secure than POST, would it be more sensible then to … Continue reading PATCH request on a login attempt
Below is an excerpt from https://policies.google.com/technologies/cookies#security
The ‘pm_sess’, ‘YSC’ and ‘AEC’ cookies ensure that requests within a
browsing session are made by the user, and not by other sites. These
cookies prevent m… Continue reading Google Security Cookies; Prevents cookie leak to malicious XHRs
We are using an API from a third party for managing content which is secured by an API key which does not change over time. Now we are building our own API to support part of that functionality.
So the browser calls our API which is callin… Continue reading Authentication on public availble Restful API
I am using a legacy Boa web server, which adopts HTTP instead of HTTPS. Then the Nessus scan found that it doesn’t encrypt confidential data, and specifically, the password in authentication.
How can I make some altercation to the server c… Continue reading How to make Nessus believe that my web server encrypt confidential data, e.g. password when http is employed? [closed]
For quite some time WebKit and others support WebAuthn. This allows for a pretty seamless 2FA experience with a key, like Yubico. On Apple devices TouchID/FaceID can also be used as a hardware key.
This creates an interesting workflow:
Us… Continue reading Does using TouchID and WebAuthn with a password manager defeat the 2FA?