RFC 6896 – Secure Cookie Sessions for HTTP(tools.ietf.org)
tools.ietf.org
RFC 6896 – Secure Cookie Sessions for HTTP
https://tools.ietf.org/html/rfc6896
9 comments
It seems this has all disadvantages of jwt-style sessions, plus a BREACH-style vulnerability in the crypto due to compression if `plain-text-cookie-value` contains data an attacker can taint.
@moderators should probably be marked [2013]
A better title:
RFC 6896 - SCS: KoanLogic's Secure Cookie Sessions for HTTP [2013]
RFC 6896 - SCS: KoanLogic's Secure Cookie Sessions for HTTP [2013]
A better better title:
RFC 6896 - SCS: KoanLogic's Insecure Cookie Sessions for HTTP [2013]
This doesn't seem to protect from Pass the Cookie attacks.
Edit - it's a common red teaming tactic: https://wunderwuzzi23.github.io/blog/passthecookie.html
Edit - it's a common red teaming tactic: https://wunderwuzzi23.github.io/blog/passthecookie.html