Hacker News new | past | comments | ask | show | jobs | submit login

> There are many more opportunities for an attacker to reuse a stolen cookie.

Why would an attacker wait to use a stolen cookie? Does this actually increase the attack surface, or simply just put the bad guy on a shorter timetable?

Also every time someone visits your site you could delete their old token and save a new one. That way stolen cookies only last as long as until the page is re-visited.

> There are many more opportunities to exploit a CSRF vulnerability if users are always logged into the target site.

That argument is valid for most sites, even sites who's sessions only survive until the browser is closed. At this stage in the game it is barely a real argument as so few sites log you out within a reasonable time frame.

> Users might be under the impression that when they close the browser, they'll be logged out. Breaking this expectation can have privacy implications. For this reason, I think it would be good to have a "Keep me logged in" checkbox, even if it is checked by default.

Aside from banking sites, how many sites log you out right now when you close the browser? I cannot think of many. I'm all for having a logout button. I would expect public computers to be set up to clear the browser's history, cache, and cookies when it is closed like every modern browser supports.

> Many people, especially the poor, still use computers that are either shared (with family and/or friends) or public (schools, libraries and Internet cafes). Although these people probably only make up a small minority of your userbase, I think it's important to afford them no less security than you do your other users.

Most shared/public computers are set up specifically to delete browser information upon exit for this very reason. If you are going to design every website on the internet for the one or two places who have their machines set up horribly poorly, then you really are targeting the lowest common denominator.

Alternatively just add a logout button.




Why would an attacker wait to use a stolen cookie?

Every now and then I see a sentence which only makes sense in the context of the 21st century...


Well, not really, many people got mugged at stolen-cookie-point in the twentieth century too.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: