Closed notflip closed 3 years ago
Hi @notflip Yes, the session is already started in the SessionMiddleware.
For security reasons, the Session-ID must be regenerated after a successful login. For this reason only the LoginSubmitAction clears and destroys the old session and regenerates the session ID. To set the logged-in user, the new session must be started first using the start
method.
Thanks for getting back, Daniel! I did not know about the need for regenerating session after a login. Is this commonly done? I'm amazed by the ADR way of structuring this repository, it's perfect
Thanks :-)
Yes. You should regenerate the session on login, to help defend against session hijacking / fixation and login CSRF.
See OWASP's recommendation for more.
The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. ...
I wonder if you could explain to me what the reason for this line is, in the LoginSubmitAction.php, it starts the session, however I notice it is already started from the SessionMiddleware, which is added to the application's middleware stack.
https://github.com/odan/slim4-skeleton/blob/642f71e8d97067508e18863cdfca4a3d8ae7879f/src/Action/Auth/LoginSubmitAction.php#L88
Thank you!