0

I have a web application that relies on a persistent cookie that is marked as HttpOnly / Secure in order to securely keep the session ID.

The issue is when this web application is embedded cross-domain it no longer works with iOS which blocks third party cookies.

The normal recommendation for avoiding this would be to use jwt or something with a header (such as Auth Bearer token), which works great for REST APIs.

But what is the alternative for normal page requests (not REST) as the user is loading new pages to cookies? The only thing I can think of is a queryString value but that is very insecure since anyone can see it, even over HTTPS.

automaton
  • 1,972
  • 5
  • 25
  • 40
  • you're right that query strings aren't very secure for sending sensitive data over https, but not anyone can see it. Query strings are also encrypted using SSL/TLS meaning between client and server they are as secure as any other content you send. The issue is URLs are often stored in web server logs meaning the URL including the queryStrings is getting saved in clear text on the server – Kevin Jan 25 '22 at 15:11
  • Yes that's fair, but regardless I can't use query strings so I need an alternative. – automaton Jan 25 '22 at 15:16
  • Hi @automaton , Jon Galloway has given some methods , Here is a [link](https://stackoverflow.com/questions/1195075/alternative-to-query-string-and-cookies-when-sending-data-to-server) , I hope it can help you . – Xinran Shen Jan 26 '22 at 08:31
  • No that doesn't help because page requests are GET, not POST. – automaton Jan 26 '22 at 16:09

0 Answers0