Improvement/Better Session And Auth Gestion #53
Comments
|
Before starting to code, i would like discuss with you how to do it correctly. A double check on Authcookie and Sessioncookie to be sure the user is connected. Even a third cookie like DeviceID would be good too. |
|
I am not sure I understand the current issue. can you describe a bit more pls ? |
|
Security and cookie is always tricky Servers that require a higher level of security SHOULD use the Cookie and Set-Cookie headers only over a secure channel. When using cookies over a secure channel, servers SHOULD set the Secure attribute (see Section 4.1.2.5) for every cookie. If a server does not set the Secure attribute, the protection provided by the secure channel will be largely moot. Finally we probably have to add additional security to the web server top be safe |
|
@misterbh Yep, that's true. Everything cookie default set, will have a configuration to enable secure attritubte. Also the authenifcation will not only be anymore set by a single cooke (Easy MID). For the moment i still don't know how to do it, but it will have a look at others application's how they do it. |
Is your feature request related to a problem? Please describe.
As for the moment, the authenfication and session is only based on the BASHSESSID and the cookie is not protected. So it's easy to get an man in the middle.
Describe the solution you'd like
We should split the session cookie and authenfication cookie. Something like BASHSESSID and BASHATUHID, and we should add Samoe-strict on auth cookie.
The text was updated successfully, but these errors were encountered: