Replies: 3 comments 1 reply
-
|
/cc @sberyozkin |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
@rafaelszp, FYI: #29255 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Great news!!
Thanks for the great work. I'll check it and start using in quarkus apps
I'm responsible for.
…On Tue, Nov 15, 2022, 09:14 sberyozkin ***@***.***> wrote:
@rafaelszp <https://github.com/rafaelszp>, FYI: #29255
<#29255>
—
Reply to this email directly, view it on GitHub
<#28859 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AANCJR42SNAZW3FRUXFZW2TWIN5CRANCNFSM6AAAAAARPAGZSU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Sounds good, thanks, give it a try and let us know how it goes |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
As pointed out in google groups discussion, the point to this request is to suggest that token generation/validation based on SecureRandom/token-size should be replaced by HMAC, according to "Double submit cookie" with HMAC technique recommended by OWASP.
The motive behind this request is because I could generate a token with repeated letters(regarding the token size) causing the token to be validated, which is an unexpected behaviour.
Here its the request I made using the example provided by the guide:
The repeated letters a's should'nt be valid, that's why I'd like to suggest to optionally creating an HMAC signature of the token and storing it as the cookie. This way the attacker could not generate the token value without the secret stored inside the server.
Beta Was this translation helpful? Give feedback.
All reactions