(06-23-2017, 02:42 AM)june123 Wrote: Now, I thought storing the session in database will help increasing the application security.
Only on a shared hosting environment, where other clients of the hosting company may have access to your session files. But that has literally nothing to do with the cookies.
(06-23-2017, 02:42 AM)june123 Wrote: How do I achieve RAM cookies as suggested by audit?
You don't have to do this. In fact, I strongly advise that you ignore this suggestion. There are of course valid reasons
choose "RAM cookies" over persistent ones, but neither choice is inherently more secure or insecure.
And in your partciular case, this suggestion only shows that your auditors are being rather incompetent.
A "RAM cookie" is a cookie with no expiry time, that gets erased when the browser is closed. Why this is being suggested to you, is that such temporary cookies are harder to steal, for a number of reasons, but most importantly because this implies the cookie will have a
shorter litetime, and therefore a shorter time window for any attacker to act on it.
But here's the thing - you've set your cookie expiry time at
1200 seconds already, and you should ask yourself this: when is the last time you had a browser window open for less than 20 minutes? Mine stays open for weeks.
Hence, choosing a "RAM cookie" over one with a 20-minute expiry time makes zero sense.
