Answer the question
In order to leave comments, you need to log in
How to protect against cookie theft without using meta information (ip, etc..) and js?
If someone got into the browser to the user and copied his cookies to himself - write wasted? Is it necessary to use js, localstore and other browser gadgets? Purely with the http protocol and backend in any way?
What is the protection algorithm using php?
Answer the question
In order to leave comments, you need to log in
What is meant by "climbed into the browser"?
If the attacker has full access to the computer / browser, then in addition to cookies, you can also get localstorage data and any other "stray" in the same way. And in principle, you can simply send requests from the browser as a legitimate user, here you are powerless.
If we are talking about stealing cookies through XSS, then there is an HttpOnly flag that will prevent access to cookies through JS
https://owasp.org/www-community/HttpOnly
Against MITM attacks, use HTTPS + HSTS.
As additional protection, use GeoIP databases, as social networks do. networks or mailers, collecting user authorization data and detecting abnormal inputs (another country, another city).
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question