maliming
commented
2 weeks ago - If the browser and the server communicate with each other via HTTPS protocol, We can assume the middleman cannot obtain the information in the request, such as
cookies, tokens.
Of course, HTTPS is not enough. It would be best to prevent other situations leading to man-in-the-middle attacks, such as fake certificates. Please refer to https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/ and https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/ for more details.
- The server will instruct the browser to delete the cookies after logging out via the
Set-Cookie Header.
Even though cookies may still be valid, no one can retrieve deleted cookies. The browser is responsible for preventing cookies leaks.
- ABP commercial will introduce a
Sessions Managementfeature to invalidate the cookies and tokens.
https://github.com/abpio/abp-commercial-docs/blob/dev/en/modules/identity/session-management.md https://github.com/abpio/abp-commercial-docs/blob/dev/en/modules/account/session-management.md
After logging out from the application, the authentication cookies are automatically removed, that's good... But these cookies are not invalidated on the backend. Therefore, if anyone uses the same cookies, they can still successfully make requests with the logged-out cookies.