Questions tagged [session-management]
Management of semi-permanent interactive information interchange between two or more communicating devices, or between a computer and user
598 questions
5
votes
1
answer
1k
views
Storing a session token in localstorage
I've heard the discussion many times of whether storing credentials or other sensitive info in localStorage or document.cookie is more secure. But I'm currently building a platform and I was wondering,...
- 351
1
vote
1
answer
86
views
Combining nonce and CSRF for HTTP form submission
I'd like to verify the following idea for combining form submission nonces and CSRF tokens. They are different concepts, but I believe we can achieve both protections with a single solution. I believe ...
- 113
0
votes
1
answer
103
views
Is this an effective scheme to store EEE key on browser client?
Application
For the application, I have a user password encrypted private-key, which is basically the root-key stored in servers.
User is prompted for password when he logs in, it decrypts the private ...
- 51
1
vote
1
answer
200
views
Passwordless authentication with email OTP
I want to implement a passwordless authentication flow with a code sent by email but I can't find a clear best practice on how to securely implement it on the server side.
On the client side, the flow ...
- 11
3
votes
1
answer
296
views
Login, logout, session ID hashing and logging
The session ID is a randomly generated string (node, crypto) of minimum 32 chars. The session ID will be stored in a NoSQL sessions table as well as in the main SQL database. I will use SHA-512 as the ...
- 63
0
votes
2
answers
206
views
Session token shown in the log file
I'm working on a JAVA web application running on Tomcat. A session token is generated and stored in a cookie when a user authenticates.
Unfortunately, when tracing is enabled, Tomcat dumps the value ...
- 111
8
votes
2
answers
2k
views
Should all sessions expire after disabling 2FA?
I know that when enabling 2FA all sessions must expire.
But how about disabling 2FA? Should all sessions expire then?
I know that disabling 2FA is a risk, but that's not the question. I'm wondering ...
- 311
0
votes
0
answers
63
views
Secure session management for browser-based screen sharing support tool
I'm designing a web-based screen sharing tool for customer support, where support agents need to view customers' screens without requiring any software installation.
The flow I'm considering is:
...
- 220
4
votes
1
answer
494
views
How can I use PBKDF2 to derive an encryption key from a password and then access that key later without the password (i.e. with a cookie)?
I'm developing a notetaking app that will store users' note and file data encrypted in a db and on backblaze (respectively). The app will not be end-to-end encrypted but data will be encrypted in ...
- 43
1
vote
0
answers
83
views
How to transfer session between Burp browsers on different computers via IM?
Is there an extension for Burp Pro that will allow you to do something like the following?
Alice launches Burp Suite Pro & launches its browser. Bob does the same.
Alice logs in to a website ...
- 351
2
votes
3
answers
334
views
Is this a session hijacking vulnerability?
I have a web application that sends this cookie after login:
Set-Cookie: ASP.NET_SessionId=55adfqwdf6qdqrgsdfg; path=/; HttpOnly; SameSite=Lax
If I theoretically steal the session ID and use it in ...
0
votes
2
answers
397
views
Attack possible on session id reuse after login?
I have a web application that uses a Version 4 UUID as the session id. If a user makes a request to my web application, he gets a new created session id. After a successful login, the session id does ...
- 369
6
votes
1
answer
366
views
Do browsers like FireFox, Chrome, Opera, and Tor store TLS 1.3 session tickets on the disk?
Do browsers save TLS 1.3 session tickets on the disk to resume a TLS session after the browser process has been killed and restarted?
Are there any glaring security risks of caching TLS 1.3 session ...
- 61
1
vote
1
answer
126
views
Besides checking whether the session ID is valid, what other things should we check in order to prevent session ID leakage? [duplicate]
If the SessionID is leaked/hacked by someone else and they use that SessionID to get access to the account, can we double-check whether the SessionID is used on the right device? I'm thinking of ...
- 25
2
votes
1
answer
239
views
Is it secure to save a salt in session variables
I know a salt isn't secure data that needs to be encrypted in the dB, but as its access should be controlled, is it considered safe to save it as a session variable at login for use later on different ...
- 57