You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was creating Phishlets and noticed that the site was using an anti-pattern cookie clear pattern where they would set the cookie to be expired, but they also set the value to INVALID instead of "". This results in the all authorization tokens intercepted! and redirect prematurely.
Is there any objection to ignoring expired cookies when evaluating whether an auth token has been captured? Maybe we could make this a setting if there is a case where this is intended behavior (can't think of one).
Thanks!
Brendan
The text was updated successfully, but these errors were encountered:
Hey There!
I was creating Phishlets and noticed that the site was using an anti-pattern cookie clear pattern where they would set the cookie to be expired, but they also set the value to
INVALID
instead of""
. This results in theall authorization tokens intercepted!
and redirect prematurely.Is there any objection to ignoring expired cookies when evaluating whether an auth token has been captured? Maybe we could make this a setting if there is a case where this is intended behavior (can't think of one).
Thanks!
Brendan
The text was updated successfully, but these errors were encountered: