search

odan / slim4-skeleton

A Slim 4 Skeleton
https://odan.github.io/slim4-skeleton/
MIT License
439 stars 80 forks source link

Why is the session started from an Action? Isn't it already started from the SessionMiddleware? #36

Closed notflip closed 3 years ago

notflip commented 3 years ago

I wonder if you could explain to me what the reason for this line is, in the LoginSubmitAction.php, it starts the session, however I notice it is already started from the SessionMiddleware, which is added to the application's middleware stack.

https://github.com/odan/slim4-skeleton/blob/642f71e8d97067508e18863cdfca4a3d8ae7879f/src/Action/Auth/LoginSubmitAction.php#L88

Thank you!

odan commented 3 years ago

Hi @notflip Yes, the session is already started in the SessionMiddleware. For security reasons, the Session-ID must be regenerated after a successful login. For this reason only the LoginSubmitAction clears and destroys the old session and regenerates the session ID. To set the logged-in user, the new session must be started first using the start method.

notflip commented 3 years ago

Thanks for getting back, Daniel! I did not know about the need for regenerating session after a login. Is this commonly done? I'm amazed by the ADR way of structuring this repository, it's perfect

odan commented 3 years ago

Thanks :-)

Yes. You should regenerate the session on login, to help defend against session hijacking / fixation and login CSRF.

See OWASP's recommendation for more.

The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. ...