|
|
|
|
|
|
by nathanmills
27 days ago
|
|
|
No, I will not send you malware. This scenario is about post-hacked where the malware is removed, but the attacker still has the cookies they collected. There should be a way to invalidate those cookies, just like how you can change your password if they got your password. If you want, however, we can simulate the scenario. Find your JWT token, change your password (commonly invalidates tokens aswell), and then post it here post-invalidation. If it works still, then thats the issue. Though, changing your password commonly requires your current password and not just a cookie, so I wouldn't be able to do that. But I could probably change your username as proof. If it doesn't work, then it was checked against some revocation database that the article talks about, where at that point, where you have you check a database anyway, you might as well just store the session on the server, since the JWT is no longer stateless and provides no advantage over typical sessions. |
|
|