Is your feature request related to a problem? Please describe.
auth-module will set and get strategy name in cookie(when selected to use cookie in config), this cause a problem when doing a PCI scan.
The vulnerability from HackerGuardian called "Web Server Predictable Session ID Vulnerability".
HackerGuardian will scan the website 5 times, and expect a different random cookie value from each subsequent request.
RESULT:
Session cookies are:
#1: Set-Cookie: auth_strategy=laravelPassport
#2: Set-Cookie: auth_strategy=laravelPassport
#3: Set-Cookie: auth_strategy=laravelPassport
#4: Set-Cookie: auth_strategy=laravelPassport
#5: Set-Cookie: auth_strategy=laravelPassport
Percentage of common characters among subsequent cookies: 100%
Clearly this strategy name is not confidential nor expose any security risk when saved in cookie, but if you want to process payment, you have to pass PCI compliance first.
Describe the solution you'd like to see
Maybe save the strategy name to session or local storage instead.
Describe alternatives you've considered
For now, I have to hard-coded the strategy name so it can pass PCI compliance
Is your feature request related to a problem? Please describe.
auth-module will set and get strategy name in cookie(when selected to use cookie in config), this cause a problem when doing a PCI scan.
The vulnerability from HackerGuardian called "Web Server Predictable Session ID Vulnerability".
HackerGuardian will scan the website 5 times, and expect a different random cookie value from each subsequent request.
Clearly this strategy name is not confidential nor expose any security risk when saved in cookie, but if you want to process payment, you have to pass PCI compliance first.
Describe the solution you'd like to see
Maybe save the strategy name to session or local storage instead.
Describe alternatives you've considered
For now, I have to hard-coded the strategy name so it can pass PCI compliance
Additional context