Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect Against Session Cookie hijacking #2469

Open
curtismchale opened this issue Jan 25, 2024 · 0 comments
Open

Protect Against Session Cookie hijacking #2469

curtismchale opened this issue Jan 25, 2024 · 0 comments
Labels
enhancement
Milestone
Account updates

Comments

@curtismchale
Copy link
Contributor

curtismchale commented Jan 25, 2024
edited
Loading

Source
CM

Given that most attacks on WP sites in 2023 are user session hijacking we should look into protecting user sessions in some fashion.

We could certainly log any sessions out that are not inside the US and force users to log in again if they're outside the US, or just not allow login outside the US without exceptions added by us upon request by our users.

We could also look at geo-restrictions on sessions. So if a city is in California, we would invalidate any session that came from New York. This would need some nuance because we could have a user travel, but forcing a log in and 2FA if they've taken a large geographical jump is a possible option.

We should also not allow the Remember me box to be checked as that gives long-lived Session cookies and it's safer to ask users to log in every time they need to use the site.

https://fortress.snicco.io/

Evidently SolidWP does something with cookies and IP addresses to tie a logged in cookie to an IP address
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
ProudCity project board (public)
Status: Backlog
Milestone
Account updates
Development

No branches or pull requests
1 participant
@curtismchale