Open ChakshuGautam opened 3 years ago
I wanted to prevent users from getting the sessionID and using them on non logged in browsers. I have added the following
req.getSession(false).setMaxInactiveInterval(1); // To prevent session hijacking.
snippet here to discard cookies after one second. https://github.com/getodk/aggregate/blob/bad45279a5ca96619e87ad4a14448fe70b62e227/src/main/java/org/opendatakit/common/security/server/SecurityServiceImpl.java#L57
This seems to be working fine but I don't know the side effects of this approach. Anything else that I can do here?
I wanted to prevent users from getting the sessionID and using them on non logged in browsers. I have added the following
snippet here to discard cookies after one second. https://github.com/getodk/aggregate/blob/bad45279a5ca96619e87ad4a14448fe70b62e227/src/main/java/org/opendatakit/common/security/server/SecurityServiceImpl.java#L57
This seems to be working fine but I don't know the side effects of this approach. Anything else that I can do here?