B
B
bonav766902020-04-06 09:41:04
PHP
bonav76690, 2020-04-06 09:41:04

How to protect against cookie theft without using meta information (ip, etc..) and js?

If someone got into the browser to the user and copied his cookies to himself - write wasted? Is it necessary to use js, localstore and other browser gadgets? Purely with the http protocol and backend in any way?
What is the protection algorithm using php?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
N
nokimaro, 2020-04-06
@nokimaro

What is meant by "climbed into the browser"?
If the attacker has full access to the computer / browser, then in addition to cookies, you can also get localstorage data and any other "stray" in the same way. And in principle, you can simply send requests from the browser as a legitimate user, here you are powerless.
If we are talking about stealing cookies through XSS, then there is an HttpOnly flag that will prevent access to cookies through JS
https://owasp.org/www-community/HttpOnly
Against MITM attacks, use HTTPS + HSTS.
As additional protection, use GeoIP databases, as social networks do. networks or mailers, collecting user authorization data and detecting abnormal inputs (another country, another city).

V
Vladislav, 2020-04-06
@cr1gger

Sessions, as an analogue, cannot be stolen.

D
Dimonchik, 2020-04-06
@dimonchik2013

if the server is rich or educational - websocket
but in general there is no problem from the word at all: it is impossible to
confuse the same data

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question