SShortSingh.
Back to feed

Developer Discovers Cookie-Based Auth Breaks When Building Mobile App for Web Project

0
·2 views

A developer building StashD, a link-organizing app using Next.js and Flask, chose httpOnly cookies for authentication, believing it to be a secure and straightforward approach. Three months into the project, plans to add a native mobile app revealed a critical flaw: unlike browsers, native apps have no cookie jar and cannot automatically attach cookies to requests. This forced a re-examination of the core difference between cookies and bearer tokens — both carry a JWT, but cookies are attached automatically by the browser while bearer tokens must be manually attached via code. The developer noted that cookies offer XSS protection but require CSRF mitigations, whereas bearer tokens are CSRF-immune by design but more vulnerable if stored in JavaScript-accessible locations. The key takeaway was that an auth mechanism relying on browser-specific behavior is not a portable design, but an assumption that only holds in one environment.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Cordless v0.6 Launches CLI-First Terminal Dashboard with QR Pairing and Self-Contained Binary

Cordless, a tool for managing remote terminal and coding-agent sessions on mobile, has released version 0.6 with a redesigned CLI-first approach. Running the app now opens a full-screen terminal dashboard that immediately displays a pairing QR code, eliminating the need to run a separate pairing command. The update ships as a single self-contained binary bundling its own Node.js runtime and node-pty, removing any prior installation requirements. Security has also been tightened, with pairing codes now issued exclusively through an authenticated WebSocket call restricted to loopback connections, making remote device enrollment impossible. The persistent daemon architecture ensures that closing the dashboard never interrupts active sessions or phone connections.

0
ProgrammingDEV Community ·

Common jq Pitfalls in Shell Scripts and How to Handle Them

Developers and sysadmins using jq to process JSON in shell scripts often encounter edge cases that work in testing but fail in production. Key issues include improper null handling and unexpected behavior when querying missing or empty fields. Using flags like -r for raw string output and -e to detect null results with exit code 5 can help catch these problems early. Defensive scripting patterns, such as explicit null checks and error exits, are recommended to avoid hard-to-debug production failures. These are not flaws in jq itself but rather subtleties that arise when combining shell scripting with real-world JSON data processing.

0
ProgrammingDEV Community ·

SOLID Principles Explained: Five Rules for Cleaner, Scalable Software Design

SOLID is a set of five software design principles aimed at improving code quality, scalability, and maintainability. The Single Responsibility Principle states that each class should have only one reason to change, avoiding so-called 'God Classes' that handle multiple concerns at once. The Open/Closed Principle advises that code should be open for extension but closed for modification, reducing reliance on conditional logic when adding new features. The Liskov Substitution Principle requires that child classes can replace parent classes without breaking the application, encouraging more careful inheritance planning. The Interface Segregation Principle holds that no class should be forced to depend on methods it does not need, favoring smaller, purpose-specific interfaces over large, all-encompassing ones.