D
D
desposito2018-02-16 13:36:08
OAuth
desposito, 2018-02-16 13:36:08

Am I doing oAuth securely?

There is an authorization server auth.com, there are sites a.com and b.com that use it.
History:
- the client went to a.com
- clicked "Login"
- got to oAuth on the auth.com site
- logged in
- got back
- everything is fine
After that, as I understand it, he got cookies on the auth.com site, because if he enters on b.com, he will no longer need to enter a login / password, but we will identify him on auth.com by cookies ...
Conclusion: If the user's cookies are stolen (it doesn't matter how, at least copied from the browser) from auth.com, then the attackers get access to all connected sites (including a and b).
Question: How to minimize risks? How to make it so that after receiving the cookie there was no access to all services?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
D
Dmitry Bashinsky, 2018-02-16
@desposito

you can try to bind the session to IP, if cookies are stolen on another PC, they will no longer be relevant

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question