Welcome Guest, Not a member yet? Register   Sign In
Session Security

I guess the logic there is, if attacker already can access cookies in one browser, he already has access to user session and adding check to see if they now use same session in different browser offers very little in terms of actually stopping attacker - they can just keep using original browser for whatever they wanted to do.

You can try to regenerate session ID, so older IDs expire relatively quickly, but that means if user is idle for longer periods, they would need to log back in.

Depends what kind of app you are developing. If it's for example bank app, no one sits there all day long, so you can assume user wants to do specific thing and don't mind if they are logged out after 5 minutes, for example. On flip side, if it's app user wants to use throughout the day, but in short bursts, if they have to log in 10-15 times a day, they will have negative experience too.

Messages In This Thread
Session Security - by khashabawy - 10-22-2018, 02:42 AM
RE: Session Security - by Pertti - 10-22-2018, 03:49 AM
RE: Session Security - by skunkbad - 10-22-2018, 02:11 PM

Theme © iAndrew 2016 - Forum software by © MyBB