aggregate icon indicating copy to clipboard operation
aggregate copied to clipboard

Published 20 hours ago verified publisher icon getodk

Session Hijacking Prevention

Open ChakshuGautam opened this issue 3 years ago • 0 comments

I wanted to prevent users from getting the sessionID and using them on non logged in browsers. I have added the following

req.getSession(false).setMaxInactiveInterval(1); // To prevent session hijacking.

snippet here to discard cookies after one second. https://github.com/getodk/aggregate/blob/bad45279a5ca96619e87ad4a14448fe70b62e227/src/main/java/org/opendatakit/common/security/server/SecurityServiceImpl.java#L57

This seems to be working fine but I don't know the side effects of this approach. Anything else that I can do here?

ChakshuGautam avatar Feb 03 '21 05:02 ChakshuGautam