I'm wondering how you could best protect sessions. I've searched a bit and find a lot of answers, but many of them are just too confusing.
How to prevent sessions from being hijacked? I've read a lot about "sessions tokens" you generate in a form, but really don't understand what their use is. How does this prevent session hijacking?
I know you don't save things like passwords in sessions, but what CAN you store in them safely? Permissions (like a session variabele which keeps track of the user level. Every time a page is opened, the session variabele is checked. It's it's not a certain number, you get an "access-denied" message displayed)? Or how do you handle this best?
Thank you!
It can either be stored in your local storage, in your session storage, or within a cookie. The token is placed in the header for subsequent requests to your server as an “authorization header”. The server then decodes the token in the header and processes it if it is valid.
The difference is that tokens are typically following a standard while sessions are implemented as needed by the server. Additionally, tokens tend not to need a session on the server but they may have one.
JWT authentication However, while the session-based flow relies on storing all the necessary state in a database and looking it up on every request, in the JWT flow all that context is self-contained in the string being sent back to the client.
Session Token API endpoint URL. /session. Creates a session token (referred to as an User API Access Token in the UI) that provides authentication for other API calls. Note: You can't use a session token for authenticating a /datapoint , /backfill , or /event API call.
You can basically store anything in the session that you want, it is just considered "best" practice not to include any security sensitive information, such as passwords, in case a layer of security is compromised.
The first step to preventing session hijacking is to not pass your session_id() via url. Users are stupid, and they will post links on their blogs with their session id, which would basically give whoever clicked that link access to their session. Therefore, it is recommended to store your session id in the users cookie.
With that said, you want to filter and escape all your user input. If you have an XSS injection, and the user is able to inject javascript, they will be able to read your cookies without a problem.
From there, you generally want to regenerate_session_id() on any major action on your website, to prevent session fixation.
It's pretty simple, and that about sums it up.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With