Preventing token theft
18 points by Foxboron
18 points by Foxboron
[With DBSC] you only need to do signing once per cookie per cookie lifetime, and not on every single request. I don’t like this due to the window where exfiltrated tokens can be used
Signing / cookie rotation should definitely be forced on every user IP address change.. That would at least make "hit and run" exfiltration near impossible and force the attacker to stay active on the compromised device which could uhh at least somewhat improve detection I guess?
Excellent collection of different approaches!
Note, I think DBSC is just designed wrong.
DBSC was an interesting idea: What if we just rotate cookies on the client and all the way back in the backend and we don't have to change anything else? So the backend needs an additional service but otherwise doesn't have to change. Everything else just keeps dealing with cookies.
But it turned out that it's not actually that simple, because this means that when you send a cookie you already have to be sure that it's the right one so now we have this complicated additional machinery that updates the DBSC cookies at magic times and if it didn't well, we will have to stop the HTTP request.