Hi everyone,
I created a new live view app and using phx.gen.auth for authentication. How can I achieve the session tokens (cookie) works for only single system/browser.
I can copy the logged in token from dev tools and use in different browser to access page, I don’t want this to happen.
Is there a simple way to do this? Thanks in advance!!!
Then you need to fingerprint the browser. Search for it, there are a few ways to do it.
It may has ethical or legal consequence though.
Isn’t that how every single cookie works? Does your security model really need to include “someone hacked the users’s browser”?
I will check, thanks
my security team asked me to add this 
You cannot secure your users browser. If a cookie can be copied from (browser) a to b that’s nothing you can do to prevent this. You generally don’t even know if the request comes from a browser in the first place.
What you can look into is not accepting the cookie as valid given some additional checks you do. That’s the fingerprinting mentioned earlier. Simplest would be using IP and/or user agent checks or even more involved browser/js level stuff. All of those come with tradeoffs though. E.g. personal internet access often do not come with a stable IP, user agent strings are easier copied than the cookie, js level checks might change return value, … In the end most of those values also have ways to be set from the client, so can be worked around. Therefore in the end you’re back to “you cannot prevent this, you can only make things harder”.
If your security team cannot explain to you why, then it is highly likely that they are full of it.
Thank you all for the clarification 
© Copyright Elixir Forum | Terms | Privacy & Cookies
