Session & Cookie Hygiene SOP
Stolen session cookies bypass the password and the 2FA. Tighten the session layer.
— Step 1: Confirm auth cookies carry Secure, HttpOnly, and SameSite=Lax or stricter.
— Step 2: Shorten the 'remember me' lifetime; 14 days, not the default fortnight-plus on shared machines.
— Step 3: Provide a 'log out everywhere' action and verify it kills all sessions for that user.
— Step 4: Bind sensitive actions to a fresh nonce so a replayed request fails.
— Step 5: On password change, invalidate every other active session automatically.
— Step 6: Verify cookies are scoped to the exact domain, never a wildcard parent.
Do this on every site holding logged-in users.
Run this every time.
Lockdown Ledger
@LockdownLedger
Session & Cookie Hygiene SOP
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.