Questions tagged [session-management]
Management of semi-permanent interactive information interchange between two or more communicating devices, or between a computer and user
587
questions
6
votes
1
answer
154
views
Do browsers like FireFox, Chrome, Opera, and Tor store TLS 1.3 session tickets on the disk?
Do browsers save TLS 1.3 session tickets on the disk to resume a TLS session after the browser process has been killed and restarted?
Are there any glaring security risks of caching TLS 1.3 session ...
- 61
1
vote
1
answer
47
views
Besides checking whether the session ID is valid, what other things should we check in order to prevent session ID leakage? [duplicate]
If the SessionID is leaked/hacked by someone else and they use that SessionID to get access to the account, can we double-check whether the SessionID is used on the right device? I'm thinking of ...
- 25
2
votes
1
answer
120
views
Is it secure to save a salt in session variables
I know a salt isn't secure data that needs to be encrypted in the dB, but as its access should be controlled, is it considered safe to save it as a session variable at login for use later on different ...
- 57
0
votes
0
answers
82
views
NTRU - How is the master key and session key generated?
I am learning the PKC topics and would like to understand about the master and session key generation process regarding NTRU.
Let's make it a scenario, if a user wants to register during the ...
- 9
1
vote
1
answer
113
views
Refresh tokens for impersonating user credentials: how to implement them?
The web app I'm developing makes use of the concepts of "access token" and "refresh token", even though it uses its own auth scheme.
In certain situations, the web app needs to get ...
- 125
0
votes
2
answers
165
views
"Duplicate" of Chrome Tabs causes stale tokens
Our implementation for authentication works like this
User provides username/password to /login API
API returns access token and refresh token in payload
We store the access token and refresh token ...
- 53
0
votes
1
answer
88
views
(Advanced) client-side session handling in browser
Is there a way (maybe via browser extensions) to make sessions forcefully expire after a while, even if the server side is set for longer durations?
e.g. you authenticate to example.com and it starts ...
- 193
0
votes
0
answers
170
views
httpOnly Session Cookies in an iframe context in the future w/o SameSite=None
My website is using session cookies (w/ SameSite=Lax, secure, httpOnly attributes) and a CSRF Token stored in localStorage. Recently I developed a teams app, which essentially loads the website ...
0
votes
1
answer
137
views
OAuth2: Storing temp values in session vs database
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary ...
- 101
2
votes
1
answer
99
views
How do I handle working with/updating sessions?
I have found a lot of information on creating sessions, but I am still a little confused about working with them.
For one, I am not sure how to handle updating the session on use. My understanding is ...
- 123
1
vote
2
answers
130
views
Can I set session time to 10 days without risking security issues?
We have a WordPress form that collects data on what marketing source (UTM) the user came from and upon submission, sends that UTM data to a 3rd party. Recently, a client asked me to have a web session ...
- 11
0
votes
0
answers
370
views
Lax SameSite and POST (2 minute)
I was going through this link https://medium.com/@renwa/bypass-samesite-cookies-default-to-lax-and-get-csrf-343ba09b9f2b to understand CSRF using samesite. Does that mean that the LAX+POST issue has ...
- 183
0
votes
1
answer
153
views
Double Submit Cookie Bypass
I am trying to work on an example for my class on how double submit cookie works and how attackers can bypass it
The idea i have is I have two domain att.com and victim.com. The login functionality on ...
- 183
0
votes
0
answers
134
views
What is the correct way to implement a change-of-email request flow?
I am currently implementing a change-of-email request flow for a web service without MFA. My initial approach is to consult the current OWASP Guide for such a flow. In reading the document, I've ...
- 1
0
votes
2
answers
640
views
can we use access token as session cookie in browser? and how to protect it?
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.
The setup: There is a client, application server and ...
- 1