[ACCEPTED]-Logout with HttpOnly cookie-cookie-httponly
If 10 your service is sensitive, it does make 9 sense to handle all realistic threat scenarios, and 8 this one is pretty realistic.
Setting up 7 two cookies, one of which is HttpOnly, is 6 actually common in the standard CSRF prevention 5 technique. I have not seen it in your specific 4 scenario but it very similar to the anti-CSRF 3 case, and looks like an obvious and easy 2 application of the general twoo-cookies 1 idea.
More Related questions