Webmasters and App-devs running on CloudFlare. You (at least) have to "force-log... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jitbit on Feb 24, 2017 \| parent \| context \| favorite \| on: List of Sites Affected by Cloudflare's HTTPS Traff... Webmasters and App-devs running on CloudFlare. You (at least) have to "force-logout" your users that have a "remember me" cookie set. At least change the cookie name so the token stops working. For example, in ASP.NET - change the "forms-auth" name in the web.config file

cortesoft on Feb 24, 2017 | [–]

If you do that, then an attacker could just use the same token with a different cookie name and access someones account. You NEED to invalidate the token.

leni536 on Feb 24, 2017 | [–]

> At least change the cookie name

This is bad advice, you should invalidate the tokens, that's it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact