/top/
/new/
/best/
/ask/
/show/
/job/
^
slacker news
login
about
←back to thread
Klarna users are being signed in to random accounts
(twitter.com)
475 points
danielstocks
| 2 comments |
27 May 21 10:28 UTC
|
HN request time: 0s
|
source
Show context
paxys
◴[
27 May 21 15:09 UTC
]
No.
27304033
[source]
▶
>>27301219 (OP)
#
Having at least authenticated sections of your site use HTTPS was standard well before 2011.
replies(5):
>>27304324
#
>>27304427
#
>>27305411
#
>>27307048
#
>>27307466
#
oxplot
◴[
27 May 21 15:35 UTC
]
No.
27304324
[source]
▶
>>27304033
#
That only protects the user's password. The auth cookie will be sent in all subsequent requests in plain text.
EDIT: that's how firesheep (
https://en.wikipedia.org/wiki/Firesheep
) hijacked sessions for e.g.
replies(1):
>>27304417
#
nly
◴[
27 May 21 15:43 UTC
]
No.
27304417
[source]
▶
>>27304324
#
That's not true. Cookies can have a 'secure' attribute which tells the browser to send them only over TLS
replies(3):
>>27304684
#
>>27304721
#
>>27304916
#
1.
chc
◴[
27 May 21 16:12 UTC
]
No.
27304721
{3}
[source]
▶
>>27304417
#
But that just makes your login not work if the rest of your site is HTTP, doesn't it?
replies(1):
>>27304915
#
ID:
GO
2.
shkkmo
◴[
27 May 21 16:27 UTC
]
No.
27304915
[source]
▶
>>27304721 (TP)
#
You should not show authenticated pages without HTTPS
↑