Hello guys! hope ya'll doing good out there!
I'm a frontend developer and facing a situation where I have to create a react app with next.js, so I created my own express server and used Firebase Auth.
I'm currently logging in and saving the token in cookies using nookies.
I heard that storing tokens in cookies and localStorage can be a bit dangerous, and people might use it for something malicious. How can I make sure that my token doesn't include information and/ or is secure enough?
Appreciate your help guys, stay safe!
Hello, I'm the developer of Smart Cookie Secure Web Browser (SmartCookieWeb), a WebView Android browser based on Lightning Browser. I posted it here a while ago, but it's changed significantly since, now with a significantly better extension system, a blocker for annoying cookie dialogue (still in beta, but mostly works), a completely redesigned private browsing mode and more!
Here are some of its key features:
β’ Completely free and ad-free
β’ HTTP proxy, I2P and Orbot supoort
β’ Built-in and on by default ad and tracker blocking
β’ A modern, easy to use UI
β’ A download size of less than 4MB
β’ Parental controls
... And much more!
You can get it from:
Google Play:
https://play.google.com/store/apps/details?id=com.cookiegames.smartcookie
F-Droid (latest version not available on website yet - F-Droid app required):
https://f-droid.org/en/packages/com.cookiegames.smartcookie
XDA Labs (requires login for download):
https://labs.xda-developers.com/store/app/com.cookiegames.smartcookie
GitHub:
https://github.com/CookieGamesOfficial/SmartCookieWeb/releases
If you have any issues let me know in the comments and I'll be happy to fix it.
EDIT - /u/PriorProfile fixed it:
>I think SESSION_COOKIE_SECURE needs to be a boolean. environ.get() always returns a string cause environment variables are always strings and 'False' is truthy because it's a non-empty string.
>Try something like this maybe:
>SESSION_COOKIE_SECURE = environ.get('SESSION_COOKIE_SECURE', '').lower() == 'true'
tl;dr: When SESSION_COOKIE_SECURE is set to False in my config file, the app behavior is as if it's set to True. When it isn't set at all, the behavior is as if it's set to False.
Background: I'm building a relatively extensive Flask app that integrates Discord and Reddit bots. It'll eventually live on an HTTPS website, meaning I want to set the SESSION_COOKIE_SECURE flag as True. However, I do development of the app on an HTTP site, so said flag needs to be False in that environment. Easy enough, just change it in the .env, right? That's been working for me for some time.
Today, for reasons I can't figure out, that stopped working. I've tried rolling back to previous branch versions where I know it worked, to no avail. Ended up making a test app to drill down to find the issue. Used code on a Stack Overflow question for a simple session visit count incrementer.
flask_app.py
from flask import Flask, request, session
app = Flask(__name__,instance_relative_config=True)
app.config.from_object('config.Config')
@app.route('/', methods=['GET'])
def index():
print("\n\n\n[Client-side]\n", request.headers)
if 'visits' in session:
session['visits'] = session.get('visits') + 1
else:
session['visits'] = 1
print("[Server-side]\n", session)
return "Total visits:{0}".format(session.get('visits'))
if __name__ == "__main__":
app.run(host='0.0.0.0')
config.py
from os import environ, path
from dotenv import load_dotenv
basedir = path.abspath(path.dirname(path.dirname(__file__)))
load_dotenv(path.join(basedir, '.env'))
class Config:
SECRET_KEY = environ.get('SECRET_KEY')
FLASK_ENV = environ.get('FLASK_ENV')
FLASK_APP = environ.get('FLASK_APP')
SESSION_COOKIEDIT 2: DISREGARD: The problem had nothing to do with AWS. The problem was with FormsAuthentication. Creating the cookie manually fixed it.
I have a web app hosted in an EC2 instance with a classic load balancer. The webapp is an old MVC 3 ASP.NET project hosted with IIS. When logging in, the app redirects to our MFA server and sends a code to the user. After entering the code, the MFA page redirects back to our site and the user is logged in. I need to add the secure attribute to our session cookie. The authentication mode is set to use forms. From the web.config:
<httpCookies httpOnlyCookies="true" />
<authentication mode="Forms">
<forms name="sessionCookie" loginUrl="~/" timeout="43200" defaultUrl="~/defaultPage" enableCrossAppRedirects="true" />
</authentication>
If I add requireSsl="true" to the httpCookies section it works. The session cookie has the secure attribute set to true.
<httpCookies httpOnlyCookies="true" requireSSL="true" />
However, if I set a flag to bypass MFA, the cookie is not set as secure. So I tried adding requireSSL to the forms authentication section.
<authentication mode="Forms">
<forms name="sessionCookie" loginUrl="~/" timeout="43200" defaultUrl="~/defaultPage" enableCrossAppRedirects="true" requireSSL="true" />
</authentication>
This causes login to fail. Even if I turn MFA on, login fails after correctly entering the MFA code. The cookie is not being set in the browser. I suspect that at some point the load balancer is redirecting through plain http which drops the session cookie because it should be secure. But I can't figure out why it works when MFA is enabled.
I need to figure out how to get this to work if MFA needs to be disabled, and I want to understand what is happening. I realize this may be more of a .NET question, but I am starting here because I think it has something to do with the classic load balancer. Help me /r/aws, you're one of my only hopes.
EDIT: Changed flair to technical question.
Read this Article earlier today. Out of four vendors, only Palo Alto has issued a patch. Until the apps are patched, best defense appears to be two factor authentication.
https://www.reddit.com/r/LifeProTips/comments/druui4/lpt_if_you_are_looking_for_a_tool_or_software_to/
When a cookie is set with the secure flag enabled, browsers will only use it on a https page, which causes the session to be lost when going from an https page to an http page because of the secure flag.
What is the best way to handle this issue if session data is to be maintained?
The obvious but unrealistic solution would be to host the entire site in https.
Edit: Specifically, a browser would have to keep a session id in a cookie. Once that cookie is set as secure-only, session is lost when going from an https page to http page.
I am testing nginx as a reverse proxy and am terminating SSL at the proxy. Has anyone found a way to get ngnix to:
-
Apply the httpOnly and secure flags to cookies if those flags are not present in the response that comes back from the upstream server
-
NOT apply the flags if they are already present in the cookies themselves
I have found a few recipes for setting the flags (e.g. with more_set_headers or with a set-cookie-location hack ). Both of these recipes pass the first test but they fail the second one, resulting in malformed cookies.
I have a variety of upstream apps and while I would like to go to those teams and tell them to fix their apps that's not feasible short term.
I am evaluating nginx plus r10 if it matters.
Smart Cookie Secure Web Browser is an open source, secure and free web browser for Android. It is a fork of Lightning Browser.
Here are some of its features:
-
Block sites that don't support HTTPS
-
Redirect HTTP sites to the HTTPS version if there's one available
-
Block malicious sites
-
Parental controls
-
A modern, easy to use UI
-
Ad blocking
You can download it on Google Play here:
https://play.google.com/store/apps/details?id=com.cookiegames.smartcookie
Or the APK directly here:
https://github.com/CookieGamesOfficial/SmartCookieWeb/releases
