How to protect sessions and cookies?

D

DiaTMss2019-09-11 00:00:33

Django

DiaTMss, 2019-09-11 00:00:33

I watched a lot of video courses on writing my own framework, and read books in English and Russian on information security. How exactly and from what to protect myself, I did not understand. Examples are banal, the code is too primitive, the essence is not disclosed. As if this is the strictest secret and you will find the best practic in few places. Xss, sql ingection, password hash are considered in self-writing) Here on the hub about csrf everything was laid out on the shelves. Of the courses I like, I will note Why these topics are not disclosed?
Kevin Scotland Creating Secure PHP Websites in use mcrypt it is already or will be removed from php David
Powers Managing PHP Persistent Sessions SessionHandler in use

SessionHandler  implements SessionHandlerInterface , SessionIdInterface{

/* Методы */

public close( void) : bool

public create_sid( void) : string

public destroy( string $session_id) : bool

public gc( int $maxlifetime) : int

public open( string $save_path, string $session_name) : bool

public read( string $session_id) : string

public write( string $session_id, string $session_data) : bool
}

Cookies are stored in the browser if you do not specify ssl?
Sessions on the server, why do I have PHPSESSID in the browser? Lifetime until the browser is closed Can a session id be passed by url?
It is not clear what to watch is ethical hacking, information security, web application security, which branch is this? Everything is clear with us back-end)
Hijacking fixing sessions
Tips from the video
Putting not the most important data
Use SSL to prevent js from gaining access
Old browsers do not understand http only
setcookie correctly set path, domain
encrypt and sign
Do not accept session id from other places than cookies
Use https
Use secure cookies
configure php.ini
regenerate session id immediately after authorization
regularly delete old sessions monitor last activity or authorization
compare user's ip address with what the user used last time if ip addresses are from the same network, for example, an educational institution?
check the user agent, even though it can be faked for deep protection
Help pliz 2 years I've been trying (
Sodium library in php recently, what criteria to choose a cryptographic function?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dimonchik, 2018-03-30
@dimonchik2013

https://djbook.ru/rel1.9/topics/http/urls.html

S

Stalker_RED, 2019-09-11
@DiaTMss

Cookies are stored in the browser if you do not specify ssl?

Cookies are stored in the browser, whatever you specify.

Sessions on the server, why do I have PHPSESSID in the browser?

Sessions are stored on the server side. PHPSESSID - This cookie contains the session identifier SESS ion ID entifier (by the way, you can rename it as you like).

Lifetime until the browser is closed

If the "restore tabs at startup" option is enabled, then the cookie will not be deleted. And some plugins do it.

Can a session id be passed by url?

Maybe.
Advice in general is normal, except for advice about ip. Came home, connected to wi-fi, ip changed, and is it time to log in again?

Help pliz 2 years I fight (

It's amazing that in two years you haven't even read what sessions are and how to store passwords .
And sodium is generally cryptography, not hashing.