|
|
|
|
|
|
by londons_explore
1399 days ago
|
|
|
There is a solution to this.... Cookies should always be used in conjunction with a TLS Session ID. If the session ID doesn't match, then throw away the cookies. Session ID is designed to be hard to steal - in some clients, it actually uses keys from the TPM to derive the session ID - so even if someone steals the browser cookie jar, there is no way they can recreate the session ID. Sadly today very few sites check the session ID |
|
|