40 点作者 dedalus超过 6 年前

4 条评论

kpcyrd超过 6 年前

It seems this has all disadvantages of jwt-style sessions, plus a BREACH-style vulnerability in the crypto due to compression if `plain-text-cookie-value` contains data an attacker can taint.

评论 #18730349 未加载

评论 #18730364 未加载

jamieson-becker超过 6 年前

@moderators should probably be marked [2013]

chrismorgan超过 6 年前

A better title:<p>RFC 6896 - SCS: KoanLogic's Secure Cookie Sessions for HTTP [2013]

评论 #18733651 未加载

kerng超过 6 年前

This doesn't seem to protect from Pass the Cookie attacks.<p>Edit - it's a common red teaming tactic: <a href="https://wunderwuzzi23.github.io/blog/passthecookie.html" rel="nofollow">https://wunderwuzzi23.github.io/blog/passthecookie.html</a>

评论 #18734218 未加载

RFC 6896 – Secure Cookie Sessions for HTTP

4 条评论

RFC 6896 – Secure Cookie Sessions for HTTP

4 条评论