Hello team,
How can I secure the users cookie? In my application, we are saving the idToken, accessToken cookie in browser. We have enabled HttpOnly, Secure flags to these fields. Still, I came to know that a techie end user can modify these cookie values.
Also, in the application logic, we are writing the logic as, if idToken is present in the browser cookie, then that means
user is logged in. However, after logout, a techie user can create a idToken with dummy value. In that case,
still my application shows secure pages(since the idToken is present in browser cookie)
How to mitigate these issues?
Thanks
Solved! Go to Solution.
Views
Replies
Total Likes
Here are some additional steps you can take to mitigate the issues you've described:
1. Token Expiration and Refresh: Implement token expiration and refresh mechanisms. This involves setting an expiration time for tokens (e.g., idToken, accessToken) and periodically refreshing them. When a token expires, the user will need to reauthenticate to obtain a new token.
2. Token Validation: Ensure that tokens are validated on the server side before granting access to sensitive resources. This includes verifying the signature, issuer, and expiration time of the token. Do not solely rely on the presence of a token in the cookie to determine authentication status. Implement AuthCheckerServlet as described on https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-.... The Servlet should validate the token, before providing access
3. Revocation: Implement token revocation mechanisms to invalidate tokens when a user logs out or their session expires. This can be achieved by maintaining a blacklist of revoked tokens on the server side.
4. Use HTTPS: Ensure that your application is served over HTTPS to encrypt the communication between the client and server, reducing the risk of man-in-the-middle attacks.
5. Secure Token Storage: Store tokens securely on the client side using techniques such as HttpOnly and Secure flags, as you've already done. Additionally, consider encrypting sensitive token data stored on the client side.
Here are some additional steps you can take to mitigate the issues you've described:
1. Token Expiration and Refresh: Implement token expiration and refresh mechanisms. This involves setting an expiration time for tokens (e.g., idToken, accessToken) and periodically refreshing them. When a token expires, the user will need to reauthenticate to obtain a new token.
2. Token Validation: Ensure that tokens are validated on the server side before granting access to sensitive resources. This includes verifying the signature, issuer, and expiration time of the token. Do not solely rely on the presence of a token in the cookie to determine authentication status. Implement AuthCheckerServlet as described on https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-.... The Servlet should validate the token, before providing access
3. Revocation: Implement token revocation mechanisms to invalidate tokens when a user logs out or their session expires. This can be achieved by maintaining a blacklist of revoked tokens on the server side.
4. Use HTTPS: Ensure that your application is served over HTTPS to encrypt the communication between the client and server, reducing the risk of man-in-the-middle attacks.
5. Secure Token Storage: Store tokens securely on the client side using techniques such as HttpOnly and Secure flags, as you've already done. Additionally, consider encrypting sensitive token data stored on the client side.
Views
Likes
Replies