I work at Auth0 and I was involved in the design of the refresh token feature. It all depends on the type of application and here is our recommended approach. Web applications A good pattern is to refresh the token before it expires. Set the token expiration to one week and refresh the token every … Read more
Since questions about salting hashes come along on a quite regular basis and there seems to be quite some confusion about the subject, I extended this answer. What is a salt? A salt is a random set of bytes of a fixed length that is added to the input of a hash algorithm. Why is … Read more
JWTs can be either signed, encrypted or both. If a token is signed, but not encrypted, everyone can read its contents, but when you don’t know the private key, you can’t change it. Otherwise, the receiver will notice that the signature won’t match anymore. Answer to your comment: I’m not sure if I understand your … Read more
If you are doing something like writing HTML and Javascript in a code editor on your personal computer, and testing the output in your browser, you will probably get error messages about Cross Origin Requests. Your browser will render HTML and run Javascript, jQuery, angularJs in your browser without needing a server set up. But … Read more
It will/may be empty when the enduser entered the site URL in browser address bar itself. visited the site by a browser-maintained bookmark. visited the site as first page in the window/tab. clicked a link in an external application. switched from a https URL to a http URL. switched from a https URL to a … Read more
The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965 (both RFCs are now marked as “Historic”) and formalizes the syntax for real-world usages of cookies. It clearly states: Introduction … For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a … Read more
Hashing is a one way function (well, a mapping). It’s irreversible, you apply the secure hash algorithm and you cannot get the original string back. The most you can do is to generate what’s called “a collision”, that is, finding a different string that provides the same hash. Cryptographically secure hash algorithms are designed to … Read more
There are a couple of things to do in order to keep your session secure: Use SSL when authenticating users or performing sensitive operations. Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish. Have sessions time out Don’t use … Read more
The Apache docs recommend against using a rewrite: To redirect http URLs to https, do the following: <VirtualHost *:80> ServerName www.example.com Redirect / https://www.example.com/ </VirtualHost> <VirtualHost *:443> ServerName www.example.com # … SSL configuration goes here </VirtualHost> This snippet should go into main server configuration file, not into .htaccess as asked in the question. This article … Read more
Disable browser ‘Save Password’ functionality