Closed ebicoglu closed 1 week ago
cookies, tokens.
Of course, HTTPS is not enough. It would be best to prevent other situations leading to man-in-the-middle attacks, such as fake certificates. Please refer to https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/ and https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/ for more details.
Set-Cookie Header
.Even though cookies may still be valid, no one can retrieve deleted cookies. The browser is responsible for preventing cookies leaks.
Sessions Management
feature to invalidate the cookies and tokens. https://github.com/abpio/abp-commercial-docs/blob/dev/en/modules/identity/session-management.md https://github.com/abpio/abp-commercial-docs/blob/dev/en/modules/account/session-management.md
After logging out from the application, the authentication cookies are automatically removed, that's good... But these cookies are not invalidated on the backend. Therefore, if anyone uses the same cookies, they can still successfully make requests with the logged-out cookies.