Meta Platforms, Inc.
Systems and methods for preventing session fixation over a domain portal

Abstract:

In one embodiment, a method includes a system receiving a request from a user's device, the request being directed to a first host. The system may generate a key, a verification token, and an encrypted key. The system may transmit the verification token and the encrypted key to the device from the first host, and transmit instructions configured to cause (1) the verification token to be stored as a cookie associated with the first host, and (2) the device to transmit the encrypted key to a second host. The system may receive a second request comprising the encrypted key from the device, and decrypt it to obtain the key upon determining that the encrypted key was not previously decrypted. The system may transmit the key to the device from the second host, and instruct the device to store the key as a cookie associated with the second host.