Is my cookie secure?

Hello guys! hope ya'll doing good out there!

I'm a frontend developer and facing a situation where I have to create a react app with next.js, so I created my own express server and used Firebase Auth.

I'm currently logging in and saving the token in cookies using nookies.

I heard that storing tokens in cookies and localStorage can be a bit dangerous, and people might use it for something malicious. How can I make sure that my token doesn't include information and/ or is secure enough?

Appreciate your help guys, stay safe!

πŸ‘︎ 5
πŸ“°︎ r/Firebase
πŸ’¬︎
πŸ‘€︎ u/Naffaa01
πŸ“…︎ Apr 06 2021
🚨︎ report
Secure JWT Cookie Authentication (React + Strapi) youtube.com/watch?v=OESLV…
πŸ‘︎ 9
πŸ“°︎ r/learnreactjs
πŸ’¬︎
πŸ‘€︎ u/chmarus
πŸ“…︎ Nov 23 2020
🚨︎ report
Smart Cookie Secure Web Browser - a free, open source and privacy friendly browser for Android

Hello, I'm the developer of Smart Cookie Secure Web Browser (SmartCookieWeb), a WebView Android browser based on Lightning Browser. I posted it here a while ago, but it's changed significantly since, now with a significantly better extension system, a blocker for annoying cookie dialogue (still in beta, but mostly works), a completely redesigned private browsing mode and more!

Here are some of its key features:

β€’ Completely free and ad-free

β€’ HTTP proxy, I2P and Orbot supoort

β€’ Built-in and on by default ad and tracker blocking

β€’ A modern, easy to use UI

β€’ A download size of less than 4MB

β€’ Parental controls

... And much more!

You can get it from:

Google Play:

https://play.google.com/store/apps/details?id=com.cookiegames.smartcookie

F-Droid (latest version not available on website yet - F-Droid app required):

https://f-droid.org/en/packages/com.cookiegames.smartcookie

XDA Labs (requires login for download):

https://labs.xda-developers.com/store/app/com.cookiegames.smartcookie

GitHub:

https://github.com/CookieGamesOfficial/SmartCookieWeb/releases

If you have any issues let me know in the comments and I'll be happy to fix it.

πŸ‘︎ 140
πŸ“°︎ r/androidapps
πŸ’¬︎
πŸ“…︎ Feb 07 2020
🚨︎ report
Strange SESSION_COOKIE_SECURE behavior?

EDIT - /u/PriorProfile fixed it:

>I think SESSION_COOKIE_SECURE needs to be a boolean. environ.get() always returns a string cause environment variables are always strings and 'False' is truthy because it's a non-empty string.

>Try something like this maybe:

>SESSION_COOKIE_SECURE = environ.get('SESSION_COOKIE_SECURE', '').lower() == 'true'

tl;dr: When SESSION_COOKIE_SECURE is set to False in my config file, the app behavior is as if it's set to True. When it isn't set at all, the behavior is as if it's set to False.

Background: I'm building a relatively extensive Flask app that integrates Discord and Reddit bots. It'll eventually live on an HTTPS website, meaning I want to set the SESSION_COOKIE_SECURE flag as True. However, I do development of the app on an HTTP site, so said flag needs to be False in that environment. Easy enough, just change it in the .env, right? That's been working for me for some time.

Today, for reasons I can't figure out, that stopped working. I've tried rolling back to previous branch versions where I know it worked, to no avail. Ended up making a test app to drill down to find the issue. Used code on a Stack Overflow question for a simple session visit count incrementer.

flask_app.py

from flask import Flask, request, session

app = Flask(__name__,instance_relative_config=True)
app.config.from_object('config.Config')

@app.route('/', methods=['GET'])
def index():
    print("\n\n\n[Client-side]\n", request.headers)                             
    if 'visits' in session:                                                     
        session['visits'] = session.get('visits') + 1                           
    else:                                                                       
        session['visits'] = 1                                                   
        print("[Server-side]\n", session)                                           
    return "Total visits:{0}".format(session.get('visits')) 

if __name__ == "__main__":
    app.run(host='0.0.0.0')

config.py

from os import environ, path
from dotenv import load_dotenv

basedir = path.abspath(path.dirname(path.dirname(__file__)))
load_dotenv(path.join(basedir, '.env'))

class Config:
    SECRET_KEY = environ.get('SECRET_KEY')
    FLASK_ENV = environ.get('FLASK_ENV')
    FLASK_APP = environ.get('FLASK_APP')
    SESSION_COOKI
... keep reading on reddit ➑

πŸ‘︎ 2
πŸ“°︎ r/flask
πŸ’¬︎
πŸ‘€︎ u/dyslexda
πŸ“…︎ Aug 14 2020
🚨︎ report
Secure Session Cookie Issue, Possibly with Load Balancer

EDIT 2: DISREGARD: The problem had nothing to do with AWS. The problem was with FormsAuthentication. Creating the cookie manually fixed it.

I have a web app hosted in an EC2 instance with a classic load balancer. The webapp is an old MVC 3 ASP.NET project hosted with IIS. When logging in, the app redirects to our MFA server and sends a code to the user. After entering the code, the MFA page redirects back to our site and the user is logged in. I need to add the secure attribute to our session cookie. The authentication mode is set to use forms. From the web.config:

<httpCookies httpOnlyCookies="true" />
<authentication mode="Forms">
    <forms name="sessionCookie" loginUrl="~/" timeout="43200" defaultUrl="~/defaultPage" enableCrossAppRedirects="true" />
</authentication>

If I add requireSsl="true" to the httpCookies section it works. The session cookie has the secure attribute set to true.

<httpCookies httpOnlyCookies="true" requireSSL="true" />

However, if I set a flag to bypass MFA, the cookie is not set as secure. So I tried adding requireSSL to the forms authentication section.

<authentication mode="Forms">
    <forms name="sessionCookie" loginUrl="~/" timeout="43200" defaultUrl="~/defaultPage" enableCrossAppRedirects="true" requireSSL="true" />
</authentication>

This causes login to fail. Even if I turn MFA on, login fails after correctly entering the MFA code. The cookie is not being set in the browser. I suspect that at some point the load balancer is redirecting through plain http which drops the session cookie because it should be secure. But I can't figure out why it works when MFA is enabled.

I need to figure out how to get this to work if MFA needs to be disabled, and I want to understand what is happening. I realize this may be more of a .NET question, but I am starting here because I think it has something to do with the classic load balancer. Help me /r/aws, you're one of my only hopes.

EDIT: Changed flair to technical question.

πŸ‘︎ 2
πŸ“°︎ r/aws
πŸ’¬︎
πŸ“…︎ May 13 2020
🚨︎ report
VPN Apps (Palo Alto, Cisco, Pulse Secure and f5) - Session Cookie Vulnerability

Read this Article earlier today. Out of four vendors, only Palo Alto has issued a patch. Until the apps are patched, best defense appears to be two factor authentication.

πŸ‘︎ 70
πŸ“°︎ r/networking
πŸ’¬︎
πŸ‘€︎ u/dhimaar
πŸ“…︎ Apr 12 2019
🚨︎ report
Cookie has to secure food in case of the coronavirus
πŸ‘︎ 10
πŸ“°︎ r/hamster
πŸ’¬︎
πŸ‘€︎ u/BebeIsImportant
πŸ“…︎ Mar 17 2020
🚨︎ report
Anyone know why cookie clicker isn't secure? Is that normal?
πŸ‘︎ 12
πŸ“°︎ r/CookieClicker
πŸ’¬︎
πŸ‘€︎ u/Coolfool791
πŸ“…︎ Apr 19 2019
🚨︎ report
Get Ready for New SameSite=None; Secure Cookie Settings blog.chromium.org/2019/10…
πŸ‘︎ 7
πŸ“°︎ r/hackernews
πŸ’¬︎
πŸ‘€︎ u/qznc_bot2
πŸ“…︎ Oct 24 2019
🚨︎ report
Put the cookie down and listen up, - If you are looking for a tool or software to help with a task, instead of searching for free <tool name> search for open source <tool name>. OpenSource tools are more reliable and secure compared to random free software on the web, idiot.

https://www.reddit.com/r/LifeProTips/comments/druui4/lpt_if_you_are_looking_for_a_tool_or_software_to/

πŸ‘︎ 4
πŸ“°︎ r/AbusiveLPT
πŸ’¬︎
πŸ‘€︎ u/LPT_Abuser
πŸ“…︎ Nov 05 2019
🚨︎ report
Developers: Get Ready for New SameSite=None; Secure Cookie Settings blog.chromium.org/2019/10…
πŸ‘︎ 2
πŸ“°︎ r/bprogramming
πŸ’¬︎
πŸ‘€︎ u/bprogramming
πŸ“…︎ Oct 23 2019
🚨︎ report
Please, review my secure cookie package github.com/chmike/cookie
πŸ‘︎ 4
πŸ“°︎ r/golang
πŸ’¬︎
πŸ‘€︎ u/chmikes
πŸ“…︎ Sep 03 2017
🚨︎ report
LPT: Computers need regular mechanical maintenance just like a car. Make sure along with virus checks, cookie dumps, and software updates you also check the fans, case condition, and hardware cleanliness and how secure it is. - LifeProTips reddit.com/r/LifeProTips/…
πŸ‘︎ 2
πŸ“°︎ r/knowyourshit
πŸ’¬︎
πŸ‘€︎ u/Know_Your_Shit
πŸ“…︎ May 23 2018
🚨︎ report
A secure cookie protocol cse.msu.edu/~alexliu/publ…
πŸ‘︎ 11
πŸ“°︎ r/programming
πŸ’¬︎
πŸ‘€︎ u/Newe_Meme
πŸ“…︎ Jun 03 2010
🚨︎ report
Sharing session data across HTTP and HTTPS pages with the secure cookie flag.

When a cookie is set with the secure flag enabled, browsers will only use it on a https page, which causes the session to be lost when going from an https page to an http page because of the secure flag.

What is the best way to handle this issue if session data is to be maintained?

The obvious but unrealistic solution would be to host the entire site in https.

Edit: Specifically, a browser would have to keep a session id in a cookie. Once that cookie is set as secure-only, session is lost when going from an https page to http page.

πŸ‘︎ 5
πŸ“°︎ r/PHP
πŸ’¬︎
πŸ‘€︎ u/owwmyeyes
πŸ“…︎ Jun 08 2011
🚨︎ report
A port of tornado secure cookie in Go. github.com/andreadipersio…
πŸ‘︎ 6
πŸ“°︎ r/golang
πŸ’¬︎
πŸ‘€︎ u/araneida
πŸ“…︎ Nov 18 2013
🚨︎ report
Setting "httpOnly" and "secure" cookie flags

I am testing nginx as a reverse proxy and am terminating SSL at the proxy. Has anyone found a way to get ngnix to:

  • Apply the httpOnly and secure flags to cookies if those flags are not present in the response that comes back from the upstream server

  • NOT apply the flags if they are already present in the cookies themselves

I have found a few recipes for setting the flags (e.g. with more_set_headers or with a set-cookie-location hack ). Both of these recipes pass the first test but they fail the second one, resulting in malformed cookies.

I have a variety of upstream apps and while I would like to go to those teams and tell them to fix their apps that's not feasible short term.

I am evaluating nginx plus r10 if it matters.

πŸ‘︎ 3
πŸ“°︎ r/nginx
πŸ’¬︎
πŸ‘€︎ u/BeowulfShaeffer
πŸ“…︎ Sep 04 2016
🚨︎ report
User authentication with a secure cookie protocol raza.narfum.org/post/1/us…
πŸ‘︎ 9
πŸ“°︎ r/PHP
πŸ’¬︎
πŸ‘€︎ u/bolln
πŸ“…︎ Feb 03 2010
🚨︎ report
Secure Cookie Authentication for CouchDB jasondavies.com/blog/2009…
πŸ‘︎ 6
πŸ“°︎ r/CouchDB
πŸ’¬︎
πŸ‘€︎ u/greut
πŸ“…︎ May 27 2009
🚨︎ report
[DEV] Smart Cookie Secure Web Browser - a secure WebView-based web browser for Android

Smart Cookie Secure Web Browser is an open source, secure and free web browser for Android. It is a fork of Lightning Browser.

Here are some of its features:

  • Block sites that don't support HTTPS

  • Redirect HTTP sites to the HTTPS version if there's one available

  • Block malicious sites

  • Parental controls

  • A modern, easy to use UI

  • Ad blocking

You can download it on Google Play here:

https://play.google.com/store/apps/details?id=com.cookiegames.smartcookie

Or the APK directly here:

https://github.com/CookieGamesOfficial/SmartCookieWeb/releases

πŸ‘︎ 9
πŸ“°︎ r/androidapps
πŸ’¬︎
πŸ“…︎ Sep 14 2019
🚨︎ report

Please note that this site uses cookies to personalise content and adverts, to provide social media features, and to analyse web traffic. Click here for more information.