• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Session Security

I guess the logic there is, if attacker already can access cookies in one browser, he already has access to user session and adding check to see if they now use same session in different browser offers very little in terms of actually stopping attacker - they can just keep using original browser for whatever they wanted to do.

You can try to regenerate session ID, so older IDs expire relatively quickly, but that means if user is idle for longer periods, they would need to log back in.

Depends what kind of app you are developing. If it's for example bank app, no one sits there all day long, so you can assume user wants to do specific thing and don't mind if they are logged out after 5 minutes, for example. On flip side, if it's app user wants to use throughout the day, but in short bursts, if they have to log in 10-15 times a day, they will have negative experience too.

Messages In This Thread
Session Security - by khashabawy - 10-22-2018, 02:42 AM
RE: Session Security - by Pertti - 10-22-2018, 03:49 AM
RE: Session Security - by skunkbad - 10-22-2018, 02:11 PM

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.