Keeping an established session safe for its whole lifetime: cookie flags, revocation, CSRF defenses, and concurrent-session visibility.
0 downloads · Used by 2 stacks
Link back to this module from your own README.
[](https://markdowners.com/m/markdowners/session-security)No discussions about this module yet.
Start a discussionExtends Auth Fundamentals@markdowners/auth-fundamentals with the specifics of keeping an established session safe for its entire lifetime, not just at login.
HttpOnly (unreadable by JavaScript, blocking most XSS-based session theft), Secure (never sent over plain HTTP), and SameSite=Lax or Strict (blocking most CSRF vectors) — all three, always, with no exceptions for "just local dev" carried into any deployed environment.Path and Domain as narrowly as correctness allows — a session cookie scoped to a parent domain is also sent to every subdomain, widening the attack surface unnecessarily.SameSite — SameSite=Lax alone still allows top-level GET navigations to carry cookies, so state-changing actions must never be triggerable via a plain GET request.localStorage or sessionStorage for anything security-sensitive — both are directly readable by any script running on the page, making them trivially exfiltrable via XSS in a way HttpOnly cookies are not.
Comments (0)
Sign in to comment. Sign in
No comments yet. Be the first to add one.