session-cookies

My understanding of token based authentication is that upon authentication (perhaps over ssl), a token is passed to the user for cheap user verification on the fly. One implementation of this would be to generate a cookie that is passed to the user for session management. But, my understanding is that token based auth (at least through cookies) is susceptible to man in the middle attacks like firesheep. Are there other methods of implementation that skirt this major security issue, or do I have a fundamental misunderstanding of tba? Your understanding is good. Fundamentally, in terms of how

I am using Laravel to build a RESTful API. I use Basic HTTP Auth ( Authenticate header ), with this filter: Route::filter('auth', function() { $credentials = ['email' => Request::getUser(), 'password' => Request::getPassword()]; if (!Auth::once($credentials)) { $response = ['error' => true, 'message' => 'Unauthorized request']; $code = 401; $headers = ['WWW-Authenticate' => 'Basic']; return Response::json($response, $code, $headers); } }); It works, but Laravel then tries to set a cookie for the user (sending a Set-Cookie header). I tried setting the session.driver configuration key to array ,

When I try to login show me token error. I have checked token in view form it's right and when comment \App\Http\Middleware\VerifyCsrfToken::class , in the Kernel.php it makes me login but after Redirect to my dashboard I'm not logged in. I am using MAMP on mac. <div> <h1>Login</h1> <div> {!! Form::open(['url'=>'user/login','class' => '']) !!} <input type="hidden" name="_token" value="{{ csrf_token() }}"> <ul> <li><label>Customer Code</label>{!!Form::Text('customer_code',Input::old('customer_code'),['class'=>''])!!}</li> <li><label>Password</label>{!!Form::Password('password','',['class'=>''])

I have a situation where an app can be accessed from multiple different domains. For instance, foo.com and bar.com could both in theory point to my app. Additionally, their subdomains can also point to my app, so for instance red.foo.com and blue.foo.com . I'm using Express cookie sessions, and my initialization code for the session looks like that: app.use(express.session({ secret: "secret", cookie: { domain: ".foo.com" }, store: new MongoStore({ db: db }) })); That works well for when users go through foo.com or any of it's subdomains, but bar.com won't work. I need to have both at once.

Is there a way to configure Tomcat 7 to create JSESSIONID cookie with a secure flag in all occasions? Usual configuration results in Tomcat flagging session cookie with secure flag only if connection is made through https. However in my production scenario, Tomcat is behind a reverse proxy/load balancer which handles (and terminates) the https connection and contacts tomcat over http. Can I somehow force secure flag on session cookie with Tomcat, even though connection is made through plain http? In the end, contrary to my initial tests, web.xml solution worked for me on Tomcat 7. E.g. I added

Does anyone know exactly how to set HTTPONLY on classic ASP session cookies? This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated. ~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~ Can anyone please help me with this? I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS. This is the cookie automatically created by the server for all asp pages. If needed i can set HTTPONLY on all cookie across the site. Any help on how to do this would be massively appreciated. Thanks Thanks Elliott Microsoft