A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site. The state information can be used for authentication, identification of a user ...
3
votes
5answers
160 views
How can I protect myself from Evercookies?
I recently learned about the existence of the Evercookie. Is there any way I can prevent an Evercookie being placed on my computer without disabling JavaScript or cookies entirely? I don't want ...
0
votes
0answers
11 views
Tomcat server doesn't set secure flag on session id [migrated]
I read that in Tomcat > 6 the secure flag gets set automatically on JSESSIONID cookie. Now I've just looked at the responses I got and the secure flag is not set. The installed version is 7. How come ...
0
votes
1answer
58 views
How does does the “Sign out all other sessions” feature work in Gmail?
In Gmail, at the bottom of the screen if you click Details it will show you your recent account activity and there's a button to sign you out of all other sessions. How does this work? Are they ...
0
votes
1answer
51 views
Couldn't websites that want to track our activity just store the data in the DOM?
For example as the value of an attribute of a html tag.
<div cookie='id=1234'></div>
Then if the user deletes the cookies while at least one page of the website is open, a javascript ...
1
vote
2answers
63 views
CSRF protection with cookie and AJAX
I would like to note that I've read the other question with an embarrassingly similar title and it does not contain an answer to my question.
I have not used CodeIgniter as a programmer, but I have ...
0
votes
2answers
68 views
Are there any HTTP servers that can detect two cookies with the same name, but issued from different subdomains?
As a follow up to the Related Domain Cookie Attack question, I'd like to see if there are any servers that are able to detect instances where multiple cookies are sent from multiple domains.
In other ...
1
vote
1answer
83 views
How to MiTM insert an iframe using burp or another tool?
So, I am trying to obtain a cookie without the secure flag enabled over HTTPS.
After reading about it, I came across an answer:
You visit https://secure.example.com/ which drops a cookie on
your ...
1
vote
1answer
55 views
Secure authentication cookie for web site
Hello i want to know if this auth token is secure enough for a site of millions of logged in users:
...
0
votes
5answers
129 views
Store username in cookie for a web site
I want to store the username for a web site in the coockie, is it secure?
What an hacker can do with this info?
3
votes
6answers
200 views
Is cookie-based XSS exploitable?
Today I've found interesting site that output your cookie value directly to the page, so if I modify the cookie value I can XSS myself.
e.g <span id=statistics>Last visit: ...
2
votes
3answers
99 views
What do web trackers know about/think of me?
Many companies use HTTP cookies, flash cookies, and other analytics to track visitors on the web and classify them. How can I find out what my web profile is currently, and what these trackers are ...
10
votes
5answers
499 views
CSRF protection with Session Id
To protect against CSRF, couldn't my page javascript just dynamically insert the session id from the cookie into the body of each HTTP request right before it's sent?
The server would then just ...
2
votes
1answer
142 views
How can I implement authentication in my proxy server?
I have a proxy server, it will have a captive portal page. Users will be required to sign in before gaining access to the internet.
So far I am aware of IP and/or MAC address based authentication.
...
3
votes
1answer
186 views
How can Bank of America tell that I'm logging in on a computer I haven't used with them before?
When you sign into Bank of America for the first time on a computer that you haven't used with them before, they detect this and force you to answer one of your security questions. I think I've seen ...
4
votes
1answer
118 views
Resources/materials for implementing secure web services?
I'm implementing a REST-style (note: it needs to be more pragmatic than canonical) web API and I would like to secure it. The language I'm using is rather fresh and doesn't have a lot of high quality ...
2
votes
2answers
144 views
Are these two ways safe?
I have two scenarios and want to know if each is secure or which risk there are.
Number One:
If the User has the edit Link (edit/[md5hash]) he can edit a post. The editkey (the hash) is in an form ...
4
votes
2answers
158 views
Does the ability for a user to choose the value of a session id cookie constitute a security flaw?
In the context of a web application, a user connects to this application and a session id cookie is set to authenticate the user for next requests. As the cookie is actually present before submitting ...
2
votes
1answer
93 views
Should cookies that contain non sensitive information be encrypted?
I'm in the process of creating a website and uses cookies to track user login. The only bit of information I store in this cookie is the users username.
Should I be encrypting the username even ...
8
votes
3answers
252 views
Protecting against cross-subdomain cookie attacks
I have been reading about cross-subdomain cookie attacks here.
A quick overview of how it works (from Wikipedia):
A web site www.example.com hands out subdomains to untrusted third parties
One such ...
1
vote
3answers
414 views
What typically is the expiration date of a session cookie?
I need to create a session cookie using JavaScript (for more info see question). I'm wondering what should the expiry date be? I'm guessing it's the browsing session, so if I don't set an expiration ...
1
vote
2answers
102 views
How do browsers know which cookie to get?
I tried writing a script that would display the contents of a cookie set by another website but it didn't work.
<?php
echo 'Website cookie is '.$_COOKIE['locale'];
?>
But I get an undefined ...
2
votes
1answer
132 views
UUID and Open_id in cookie 'good' enough?
I am using Tomcat 7, jsp to build a small website. I am new to security and it is a school project so using Spring Security is not an option. I am attempting to store UUID and Open_id in the clients ...
1
vote
2answers
102 views
Guarding against XSS when setting Cookies based on URI?
I have a web-site written in nginx.conf — http://mdoc.su/ — which essentially accepts two parameters, an operating system and a manual page name, and does a redirect to a different site based on the ...
5
votes
1answer
106 views
What's the risk in putting semantically meaningful data in an HTTP session identifier?
I'm currently looking at performance optimization and am considering a way of speeding up cookie based session handling. There are advantages to having a session identifier in place when there is no ...
1
vote
3answers
135 views
Use Authentication using 2 encrypted strings
So, basically I am trying to log a user in with a cookie and do not query DB to improve performance.
Here is a brief idea:
Transmit everything via SSL
Set a Global secret key A and secret key B
...
1
vote
2answers
132 views
How to check whether the cookie is set securely
I found solution for setting asp.net_sessionid cookie as secure.
The solution is to make changes in web.config file as given below.
<\system.web>
I want to know if this change is setting the ...
2
votes
1answer
101 views
What's the point of rejecting a cookie?
When you access a website, lynx provide the option to reject a cookie, what's the point of doing so?
All I thought about is that if you don't accept a cookie, you cookie won't be stolen during a XSS ...
2
votes
2answers
170 views
HTTPOnly Cookies: Security Depends on Client Cooperation?
I've been implementing HTTPOnly cookie-based session handling and have some questions about what HTTPOnly means.
I realise it's a flag that gets passed around in the HTTP header when setting cookies. ...
1
vote
2answers
167 views
What security issues are there when reading cookie with .htaccess?
I have a (hobby) web site that runs only on SSL (i.e., site-wide HTTPS). The site does not deal with finances, social security numbers, or anything of that level of importance. However, I'd like to ...
11
votes
4answers
1k views
Demystifying Web Authentication (Stateless Session Cookies)
I'm currently researching user authentication protocols for a website I'm developing. I would like to create an authentication cookie so users can stay logged in between pages.
Here is my first ...
0
votes
3answers
111 views
how Cookie tracking threat works?
as explained here and lots of other cases , what is this tracking story ? browser vendors say we have same origin policy and for example google.com can only read cookies saved by google.com or read ...
-1
votes
1answer
168 views
how to secure my login user id and passwords specially for facebook [closed]
i think they hack me with facebook cookies.
i dont get what exactly is going on with me. every time i get the login notification from another ip location.i want to secure my cookies and i wanted to ...
0
votes
1answer
265 views
Cookies + CSRF protection + AJAX
In my app (built in Codeigniter), users can submit status updates. When submitting forms, Codeigniter automatically provides a hidden cookie. I can validate that cookie through AJAX when the user ...
1
vote
3answers
145 views
Web Application - Cookie Expiry
We are using a web application on cloud. I need a small clarification. We are using Perl with Apache. I see a following issue here for the below scenario. I need some inputs of whether this is most ...
1
vote
2answers
179 views
Is it possible to block third party cookies but allow them when they are first party?
I have been using Cookie Monster in Firefox for a while now to great satisfaction. However, I haven't found a way to allow cookies like Google's on Google's services but block them when I visit other ...
3
votes
3answers
600 views
cookies “secure” flag
How does cookies "secure" attr work to determines whether cookie itself should be included?
e.g.
[HTTP(unencrypted) connection]
1. user has no cookie yet and tries to log in;
2. user logs in ...
6
votes
3answers
465 views
Is my session-less authentication system secure?
So, I've created an authentication system. Poured over it for any kind of security flaws and tested the crap out of it. I think it's fairly secure, but there is one "different" by-design aspect of it ...
2
votes
1answer
261 views
cookie issue with same domain same path but different port
I have two web app running on same host on same path but on different port
http://somedomain.com/
and
https://somedomain.com/
now when I visit first app it serves the cookie say with name abc, and ...
8
votes
4answers
333 views
Preventing insecure webapp on subdomain compromise security of main webapp
I want your help on getting more concrete information on a type of vulnerability that I remember vaguely.
I vaguely remember hearing about a year ago that if you set up a webapp on a subdomain, and ...
2
votes
1answer
651 views
Stopping Session Hijacking
If you noticed, I put "stopping" instead "preventing" in the title because I want my PHP application to be as secure as possible. I am wondering if anyone has any better ways to prevent session ...
1
vote
2answers
103 views
Secure cookies and Path Length Constraint
Using apache 2.2.3 on oracle enterprise linux.
When setting following setting in httpd.conf:
Header edit Set-Cookie ^(.*)$ $1;Secure ,
cookie generation (which happens on our registration page) ...
0
votes
0answers
54 views
SSLCipherSuite and cookie creation [closed]
Our corporate server is like this :
Main VIP : abcxyz.xyz.com directing requests to following VIP's:
abcxyz-1.xyz.com
abcxyz-2.xyz.com
The webservers behind abcxyz-1 and abcxyz-2 are on same ...
5
votes
3answers
159 views
What are the security implications of allowing unlimited size cookies?
Our application firewall blocks requests if it detects a cookie is present with a value greater than 1024 characters in size.
Are there any exploits involving large cookies?
i.e. How much more ...
6
votes
1answer
164 views
Identifying, analyzing, and predicting weak session cookies
To elaborate on this, I'm looking at this from the perspective of a hacker/penetration tester. Many times I have seen web applications that I know have weak cookies. I can tell this because I can ...
4
votes
2answers
426 views
Best way to securely set a session cookie on another domain
We currently have 2 sites http://www.foo.co.uk and https://secure.foo.com.
The www site does not have an SSL certificate and is on a different domain.
We have a login button on http://www.foo.co.uk ...
2
votes
2answers
167 views
How attacker can access victim's account without knowing its credentials?
I want to login facebook from a wifi connection and check sign-in page is over https but later when i don't pay attention to address bar (for example when playing games and click on links like a crazy ...
4
votes
1answer
240 views
Secure web user authentication even after server-side database compromise
By now, we should all know to use bcrypt or scrypt to store salted password hashes with a sufficient number of rounds. (See, e.g., https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) The ...
1
vote
3answers
278 views
Are tracking cookies illegal?
I have a merchant website. When a user visits the website, a cookie is set. Then when the same user visits the site again, we provide him with suggestions, content that he may enjoy based on what ...
6
votes
3answers
290 views
Is it secure to use bcrypt-generated salt in cookie to serve as token in place of a password?
I have a (hobby) web site that runs only on SSL. The site does not deal with finances, social security numbers, or anything of that level of importance. However, I'd like to secure it as much as ...
3
votes
1answer
111 views
Vulnerabilities of having one path of app accessible only via HTTPS but others via HTTP?
Imagine example.com that is accessible via HTTP and HTTPS. Most of content at site isn't secure and it won't be bad if it will be read by attacker. One of paths - example.com/secure_zone is accessible ...
