You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While this would speed things up, we must analyse what effect each stolen item can have. CSRF protection does not count since that validation is stateless. We must assume that the attacker can create their own refresh token given the session handle. In case they do that, it should yield an unauthorised error.
A few questions to think about:
what if the attacker keeps everything the same, except changes the userId in the token?
Would it be easy for the attacker to trigger a token theft detection error?
If that is guaranteed, then we can remove the need for encryption, else we can at least use a method that's less time consuming.
The text was updated successfully, but these errors were encountered:
While this would speed things up, we must analyse what effect each stolen item can have. CSRF protection does not count since that validation is stateless. We must assume that the attacker can create their own refresh token given the session handle. In case they do that, it should yield an unauthorised error.
A few questions to think about:
If that is guaranteed, then we can remove the need for encryption, else we can at least use a method that's less time consuming.
The text was updated successfully, but these errors were encountered: