|
|
|
|
|
|
by zawerf
2467 days ago
|
|
|
Can you describe how you can exploit this? It's good for defense in depth, but you have to pwned the user in another way to set the cookie in the first place right? If you're using httpOnly cookies you should be fine? (Not an expert and genuinely want to know because it seems like the node.js ecosystem doesn't consider it a problem worth fixing either: https://github.com/jaredhanson/passport/issues/192
) |
|
|