Session hijacking prevention

[killua-eu]

Need to look into securing data stored in session (i.e. see https://github.com/pohadkar/glued/commit/e9a8357653887b2e9c154b850bc257d256ffd731), i.e. in https://github.com/pohadkar/glued/blob/master/glued/Middleware/Auth/AuthMiddleware.php to prevent XSS attacks against sessions - check that js doesnt use sessions for auth, then kill this vector alltogether

• [ ]

• [ ] up random seed

• [ ] regen sessions on login or even on every req.

• [ ] fingerprinting (allow multiple logins/store multile fingerprints)

• [ ] js request authentication via JWT

• [ ] attributes

  • [ ] samesite
  • [ ] httponly
  • [ ]secure
  • [ ] domain

• [ ] timeout/expiration

Obecně

https://cs.wikipedia.org/wiki/%C3%9Anos_spojen%C3%AD https://www.owasp.org/index.php/Session_Management_Cheat_Sheet https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management

O JWT

https://www.owasp.org/index.php/REST_Security_Cheat_Sheet https://jwt.io/introduction/ https://auth0.com/blog/cookies-vs-tokens-definitive-guide/ https://breakdev.org/sniping-insecure-cookies-with-xss/ https://stormpath.com/blog/build-secure-user-interfaces-using-jwts

Implementace

https://github.com/tuupola/slim-jwt-auth