Secure the Cookies so No One Can Steal Them
When you use cookies as a session identifier, you also need secure cookie handling. Attackers will try to steal cookies—or more specifically, the session token information stored in those cookies. This attack is called session hijacking because it relies on stealing the token to access the victim’s authenticated session.
You have to first configure the server to limit your exposure and mitigate attack vectors like man-in-the-middle (MITM) and cross-site scripting (XSS). We’ve talked about MITM before in Chapter 3, Start Connecting and will cover XSS more thoroughly in Chapter 11, Fight Cross-Site Scripts. To prevent MITM session hijacking attacks, you need to use HTTPS over the whole site and ...
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.