Open killua-eu opened 6 years ago
Need to look into securing data stored in session (i.e. see https://github.com/pohadkar/glued/commit/e9a8357653887b2e9c154b850bc257d256ffd731), i.e. in https://github.com/pohadkar/glued/blob/master/glued/Middleware/Auth/AuthMiddleware.php to prevent XSS attacks against sessions - check that js doesnt use sessions for auth, then kill this vector alltogether
[ ]
[ ] up random seed
[ ] regen sessions on login or even on every req.
[ ] fingerprinting (allow multiple logins/store multile fingerprints)
[ ] js request authentication via JWT
[ ] attributes
[ ] timeout/expiration
Obecně
https://cs.wikipedia.org/wiki/%C3%9Anos_spojen%C3%AD https://www.owasp.org/index.php/Session_Management_Cheat_Sheet https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management
O JWT
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet https://jwt.io/introduction/ https://auth0.com/blog/cookies-vs-tokens-definitive-guide/ https://breakdev.org/sniping-insecure-cookies-with-xss/ https://stormpath.com/blog/build-secure-user-interfaces-using-jwts
Implementace
https://github.com/tuupola/slim-jwt-auth
Need to look into securing data stored in session (i.e. see https://github.com/pohadkar/glued/commit/e9a8357653887b2e9c154b850bc257d256ffd731), i.e. in https://github.com/pohadkar/glued/blob/master/glued/Middleware/Auth/AuthMiddleware.php to prevent XSS attacks against sessions - check that js doesnt use sessions for auth, then kill this vector alltogether
[ ]
[ ] up random seed
[ ] regen sessions on login or even on every req.
[ ] fingerprinting (allow multiple logins/store multile fingerprints)
[ ] js request authentication via JWT
[ ] attributes
[ ] timeout/expiration
Obecně
https://cs.wikipedia.org/wiki/%C3%9Anos_spojen%C3%AD https://www.owasp.org/index.php/Session_Management_Cheat_Sheet https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management
O JWT
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet https://jwt.io/introduction/ https://auth0.com/blog/cookies-vs-tokens-definitive-guide/ https://breakdev.org/sniping-insecure-cookies-with-xss/ https://stormpath.com/blog/build-secure-user-interfaces-using-jwts
Implementace
https://github.com/tuupola/slim-jwt-auth