It is proposed that the security information is only stored in $ _SESSION and in this way it is avoided in the client contents a security data, even though it was encrypted.
The proposal no longer requires cookies, except for the $ _SESSION itself.
Code to access to $ _SESSION has been centralized in php/utilities/general.php wrapping any other access $ _SESSION, which allows managing the session destruction when suspicious situations occur.
A security hole has also been covered in all controllers, now the controls deny requests if the user is not properly identified.
This change allows Aixada to work with PHP 7.3 in most sections (For the rest see #248)
(is stop using mcrypt Aixada that is not longer supported by PHP7.1)
NOTE: This code has already been in production for two weeks.
It is proposed that the security information is only stored in
$ _SESSIONand in this way it is avoided in the client contents a security data, even though it was encrypted.The proposal no longer requires cookies, except for the
$ _SESSIONitself.Code to access to
$ _SESSIONhas been centralized inphp/utilities/general.phpwrapping any other access$ _SESSION, which allows managing the session destruction when suspicious situations occur.A security hole has also been covered in all controllers, now the controls deny requests if the user is not properly identified.
This change allows Aixada to work with PHP 7.3 in most sections (For the rest see #248) (is stop using mcrypt Aixada that is not longer supported by PHP7.1)
NOTE: This code has already been in production for two weeks.