Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There should be. You can't guarantee it will always work, but it's certainly possible to encode some fingerprinting into the cookie so that if the fingerprinting no longer matches what the client requesting data from the server looks like, the server throws up a red flag and asks for the authentication challenge response to be repeated.

But no, it sounds like Slack doesn't do that, which is a problem.



Security I implemented in the 90's: Encode the client IP address into the cookie.

Also include a timestamp to force re-authentication at some point.

This isn't rocket science.


And now as I connect between ipv4 to v6, connect to my VPN, switch from wifi to mobile data each change requires a login and I very quickly abandon your app for one that doesn’t force multiple authentications throughout the day.


Not only that. I tried the same approach, but one of our clients has some kind of VPN and the user’s IP address would change regularly.


Wouldn't the cookie then be invalidated if you e.g. switched between WiFi and cellular on mobile?


Yes, it would be invalidated. This would not work well on roaming devices.


Good luck with that on mobile.


Devices are much more portable since the 90s and are likely to change networks frequently.


Until CGNAT cripples your concept.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: