0

If I have session cookie or just cookie which is Secure, HttpOnly with SameSite=Strict and is never transmitted even in requests within the same domain and the page uses TLS.

Is there any attack that could catch this cookie? If so, how can this attack be prevented?

Szyszka947
  • 21
  • 6
  • 1
    The cookie is sent along with all requests that are https and to the same domain they were set from. (you should probably mention why this cookie is being sent and what it contains... hashed?) Your question is pretty broad, but there's all sorts of ways to "catch" the cookie. Whether that's enough to perform an attack is another story. (Maybe include more details and narrow down the question a bit? What are you trying to protect against?) – pcalkins Aug 02 '22 at 21:07
  • I better described my problem on: https://stackoverflow.com/questions/73196766/storing-symmetric-key-for-temporary-data-in-session-cookie, but I'm not getting an answer and my time is running out so figured I would break this question down into a few smaller ones in this forum as I can't move the question from stackoverflow here. – Szyszka947 Aug 03 '22 at 07:17
  • 1
    sounds like you want to design your own client app for this... (at both ends) It seems like you are trying to prevent an attacker who can MITM standard SSL. That seems like a difficult task... the transmission of the keys is a big issue there. (better to be done outside of the internet methinks...) The protocol requires secure storage of keys so you'd want something like Windows DPAPI. (or avoid storing them at all...have user input them) – pcalkins Aug 03 '22 at 20:18

0 Answers0