Saw something on a pen test today I haven't seen before. The application loads the session information from the session storage in the browser rather than from the cookies collection and then adds it as a header to every request. I'm not sure if that's better or worse or what.

And look, the "encryptedId" is a base64 encoded unsigned JWT. What fun.

@Sempf
Base64 is nearly five times better than rot13.

@Sempf "Its encrypted with base64"

@varx The field is literally called "EncryptedId" ... and it is base64 encoded. Not even signed!

@FritzAdalis @Sempf but is it all that much better than triple-rot13?

@mirabilos @Sempf
Okay base64 is only 1.64 times better than 3ROT13.

@FritzAdalis @Sempf ok we'll just need 4 more quantum computers

@mirabilos @FritzAdalis @Sempf Look, we're in the age of Unicode, so rot77499* is the new rot13.

* For rotating over the characters of Unicode 16.0, so YMMV depending on when you read this.

@jwarlander @FritzAdalis @Sempf rot557056 works

@FritzAdalis @mirabilos @Sempf rot13 the base64. That’s military grade[*] encryption

[*] Roman Republic military

@jonathankoren @FritzAdalis @mirabilos A the infamous Double Encryption.

(I actually had someone tell me that. They had URL encoded and Base64 encoded a string and told me it was "double ecrypted" so I didn't have to even worry about it.)

@Sempf the same-origin policy is better than the absolutely ridiculous model cookies use. csrf tokens are no fun either!

@ww I haven't figured out how yet, but they are protecting from CSRF. Gonna figure that out Monday.