Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

4
  • Thanks for your input on the IP address drawbacks. Do you have suggestions for other ways to avoid session hijacking? I could use things like user-agent, but these are easily spoofable from what I understand. I also updated the original post based on your obvious point about including the password. Commented Sep 1, 2012 at 22:13
  • @JonWingfield: presumably, a "secure" cookie, sent over HTTPS, is "secure" -- if someone can unduly access a copy of that cookie, then there is very little you can do against it, either from the Javascript or from the server, except deprecating old cookies, which you already envision. Commented Sep 1, 2012 at 22:19
  • Wanted to mention about HttpOnly cookie to secure it further (owasp.org/index.php/HttpOnly). HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it). Commented Mar 14, 2014 at 6:54
  • Is JWT an implementation of the token concept described above. Such JWT tokens in API requests would let the server 1. Verify that it issued the token. 2. Determine the user based on its payload. 3. Issue tokens which last for a specific time period. Thanks. Commented May 1, 2015 at 8:57