Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
I dont get this, even with staging/prod cookie mixup, and assuming the staging cookie-auth is sent to the prod, the point of staging is that the auth DBs between staging/prod differ
So the cookie's JWT/RT would be rejected by the prod and all you'd have annoyed users who get auto-logged out coz cookie sessions fucked up
COOOOKKKIIIEEES!!!
!rant
Happy holidays ranters!
I've given up hope a long time ago...
Someone didn’t properly set the httpcookies domain for our staging and production websites. Yep, this was a C#/.NET site. The cookie domain for the staging site was set to the production domain instead of the staging domain (which was a subdomain). So if someone logged into the staging admin, that would also grant them access to production admin if they also had an account in the production site.
The staging site technically had an additional login to enter the site, but the username and password weren’t too hard to guess. It was like that for years until I was hired to be an in-house dev (the role was previously outsourced to a software development company).
The admin side of the website wasn’t very sophisticated. But there was enough personal identifying info for a hacker to do something with.
I don’t know how they weren’t hacked yet. Honestly, I’d tell my employer to go back to that software agency and ask for a refund and cite the shotty work.
rant
wk351
how did they not get hacked
cookies
ask for a refund