search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

Session management #65

Closed cfryanr closed 4 years ago

cfryanr commented 4 years ago

Once we have finished implementing server-side sessions, we should consider:

  1. Issue new session IDs as often as possible to help users avoid things like session fixation attacks
  2. Session timeouts
    1. Offer a configuration option for max session idle time
    2. Offer a configuration option for max absolute session lifetime
    3. Also expire session info from the session storage to reduce resource usage

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md

cfryanr commented 4 years ago

Closed by https://github.com/istio-ecosystem/authservice/pull/67