Secure cookies
atinux opened this issue · 3 comments
atinux commented
The cookie approach can be very safe if done properly. Doing the following is fairly trivial:
- use httpOnly flag (prevents JavaScript access to cookie)
- use secure flag (only set cookie for https requests)
- Signed cookies (verify source of cookie)
default-writer commented
I definetly can argue that all three that mentioned dirty tricks do not make any sense to authentication security "enchancements"
atinux commented
What do you propose @hack2root ?
maziarz commented
@hack2root, how and why are these so called tricks categorized as dirty? You need to clarify things instead of leaving a cliffhanger.