Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[webflow to gatsby] Best way to secure user sessions blog #196

Merged

Conversation

Chakravarthy7102
Copy link
Contributor

Related Issue

adds Best way ti secure user sessions blog

Link to Google Doc

TODO

Checklist

  • Has cover image been added
  • Have all content images been added. Do they render correctly? (aspect ratio etc)
  • The code inside code blocks gives no errors
  • Check for SEO keyword?
  • Added call to action to link to supertokens and to link to other blogs.
  • Add reference to how SuperTokens solves this blog's problem (if relevant).

Remaining TODOs

  • ...

@netlify
Copy link

netlify bot commented Oct 2, 2023

Deploy Preview for gracious-clarke-e6b312 ready!

Name Link
🔨 Latest commit 4a143b2
🔍 Latest deploy log https://app.netlify.com/sites/gracious-clarke-e6b312/deploys/651e4d5bf660ea000883e2ff
😎 Deploy Preview https://deploy-preview-196--gracious-clarke-e6b312.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.


The critical auth token is perpetually exposed over two attack surfaces, the frontend, and the backend and occasionally exposed over transit.

*Effect of stolen auth tokens:*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
*Effect of stolen auth tokens:*
*Effect of stolen auth tokens:*


Refresh token stolen: Detection of theft will enable the stolen refresh token to be invalidated, limiting the damage to a short period of time

*Detection of theft:*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
*Detection of theft:*
*Detection of theft:*

- If both, the victim and the attacker, use RT0 at the same time, then one would get (RT1, AT1), and the other (RT2, AT2). The next request by either of them with the new access token would either invalidate RT1 or RT2, resulting in either the victim or the attacker to be eventually[[1]](#footnotes) logged out. Again, here the backend would get a clear indication of theft.


*Once detected:*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
*Once detected:*
*Once detected:*

@Chakravarthy7102 Chakravarthy7102 changed the base branch from master to blog/express-session-vs-supertokens October 5, 2023 05:47
@Chakravarthy7102 Chakravarthy7102 merged commit 953f79e into blog/express-session-vs-supertokens Oct 5, 2023
@Chakravarthy7102 Chakravarthy7102 deleted the blog/revoking-access branch October 5, 2023 05:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants