Jonatan Vela
Jonatan Vela
I didn't test this, but there might be an issue with the HMAC over the cookie values. The CookieValidator should not be able to successfully validate the cookies if the...
@Alexcei88 Thank you for your explanation, now I see that it will work. But isn't it an issue, that the refresh token is now unsecured? An attacker may now send...
> Do you have any idea without adding one more HMAC cookie? Well the HMAC does not need to be in a separate Cookie. You could exclude the refresh token...
@Alexcei88, Excuse me, I mixed things up a little bit. The idea is to write the refresh token and its HMAC into one cookie. So there would be just four...