Protect Against Session Cookie hijacking

[curtismchale]

Source CM

Given that most attacks on WP sites in 2023 are user session hijacking we should look into protecting user sessions in some fashion.

We could certainly log any sessions out that are not inside the US and force users to log in again if they're outside the US, or just not allow login outside the US without exceptions added by us upon request by our users.

We could also look at geo-restrictions on sessions. So if a city is in California, we would invalidate any session that came from New York. This would need some nuance because we could have a user travel, but forcing a log in and 2FA if they've taken a large geographical jump is a possible option.

We should also not allow the Remember me box to be checked as that gives long-lived Session cookies and it's safer to ask users to log in every time they need to use the site.

https://fortress.snicco.io/

Evidently SolidWP does something with cookies and IP addresses to tie a logged in cookie to an IP address