Section 1

Preview this deck

What is a signed cookie and what does it protect against?

Front

Star 0%
Star 0%
Star 0%
Star 0%
Star 0%

0.0

0 reviews

5
0
4
0
3
0
2
0
1
0

Active users

0

All-time users

0

Favorites

0

Last updated

6 years ago

Date created

Mar 1, 2020

Cards (10)

Section 1

(10 cards)

What is a signed cookie and what does it protect against?

Front

Secret-key encrypted signature added to the main cookie data. Protects against cookie poisoning

Back

Cookies

Front

Allow a server to ask a client to remember "name=value" pairs and send them back in all future requests

Back

Difference between localStorage and sessionStorage

Front

localStorage persists over multiple browser sessions sessionStorage persists only within the current browser tab

Back

What does the "secure" attribute do?

Front

The cookie is sent back only over HTTPS. Protects against cookie theft.

Back

What happens when cookie "expire" is not specified?

Front

The cookie becomes "transient" (= session cookie) and is valid during current browsing session

Back

Can we use cookies to identify a user across multiple domains?

Front

Third-party cookies

Back

Single-page Application (SPA)

Front

An app where everything happens on a single page. No page reload and wait, even when the browser needs to obtain data from the server.

Back

How can we authenticate a user? How can we let users authenticate once, without asking for authentication for every request?

Front

Session IDs: - All session-related "states" reside on the server - A unique identifier is associated with a session - Store the session ID in the cookie - The server obtains session related "states" from local "session data store" using session ID

Back

How can the server "erase" a cookie?

Front

Set the expiration date to a past time

Back

What is the same-origin policy?

Front

It's a basic security measure implemented by browsers. The theory is that "you trust yourself." If you serve assets to a client, then those assets can trust each other not to be malicious. Stuff from other sources is untrusted. What "self" means here is a combination of protocol (e.g. http vs. https), the domain (down to the sub-domain level), and port. If resources arrive from some other combination of those things, they are untrusted.

Back