Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
desposito2018-02-16 13:36:08
OAuth
desposito, 2018-02-16 13:36:08

Am I doing oAuth securely?

There is an authorization server auth.com, there are sites a.com and b.com that use it.
History:
- the client went to a.com
- clicked "Login"
- got to oAuth on the auth.com site
- logged in
- got back
- everything is fine
After that, as I understand it, he got cookies on the auth.com site, because if he enters on b.com, he will no longer need to enter a login / password, but we will identify him on auth.com by cookies ...
Conclusion: If the user's cookies are stolen (it doesn't matter how, at least copied from the browser) from auth.com, then the attackers get access to all connected sites (including a and b).
Question: How to minimize risks? How to make it so that after receiving the cookie there was no access to all services?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
D
Dmitry Bashinsky, 2018-02-16
@desposito

you can try to bind the session to IP, if cookies are stolen on another PC, they will no longer be relevant

Similar questions
V
vostotskiy2017-03-29 17:26:41
How to get user details after eBay login? 1Reply
S
stdio962017-04-01 19:50:16
How to use CURL to authorize on the site through Google or Microsoft? 1Reply
Y
Ytsu Ytsuevich2015-05-01 16:45:23
Google+ login via OAuth, how does it work? 2Reply
S
Seraphim2019-09-25 11:44:31
How to correctly write a component that will send a cross-domain request and save the token in the state? 2Reply
L
Larisa .•º2019-09-27 22:12:27
How to return a callback to the client? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question