Correct option:
All the above options
Explanation:
To protect an SSO token from theft, spoofing, or forgery, multiple methods are typically employed:
-
Invalidate the SSO token on server-side after logout: This ensures that the token cannot be used for subsequent authentication once the user logs off, preventing unauthorized access.
-
Digitally sign and encrypt the token: Digital signing helps protect the token against man-in-the-middle (MITM) attacks by ensuring its integrity, while encryption adds an additional layer of protection, especially by using time-variant encryption that changes over time.
-
Set the "HttpOnly" attribute for cookies: This prevents client-side JavaScript from accessing the token stored in cookies, reducing the risk of cross-site scripting (XSS) attacks.
All of these methods collectively help ensure the security of the SSO token.