Hacker News new | past | comments | ask | show | jobs | submit login

I think of the following:

- store only session ID in cookie

- regenerate session ID upon privilege escalation (login, what else?)

- destroy session upon logout

That being the case, is this really capable of doing much damage? Especially once you enable HSTS.




This is still vulnerable to the same kinds of attacks you can do with login CSRF: http://seclab.stanford.edu/websec/csrf/csrf.pdf

Though the attack scenarios for that are always very tenuous.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: