Hacker News new | ask | show | jobs
by zmimon 6003 days ago
> as the encrypted cookie can be sniffed, and replayed to the server

I think the whole article is premised on requiring a level of security that would presume TLS is being used.
1 comments
NateLawson 6003 days ago
Yes, the focus is on preventing cookie forgery for pre-auth account compromise or privilege escalation.
link