User-Library icon indicating copy to clipboard operation
User-Library copied to clipboard

Published 20 hours ago verified publisher icon thody

Session regen's, and lifespan's

Open circuitbomb opened this issue 15 years ago • 3 comments

The user session needs to be regenerated at login and if the user-agent changes during a session. Also passwords shouldnt be stored session side, even with a salt, perhaps use another unique string in place (md5(mt_rand())) Also session lifetime should be set:

circuitbomb avatar Aug 13 '09 17:08 circuitbomb

well considering a couple of these are specified in the config, I suppose it would only be necessary to regenerate the session on specific changes

circuitbomb avatar Aug 13 '09 17:08 circuitbomb

Yeah, that's what I was thinking. Thanks for pointing out the pw in the session, looks like that was happening in the update method when the user updated their pw. Patched now.

thody avatar Aug 13 '09 17:08 thody

Closing this in lue of persistence and that pw is no longer stored session side.

circuitbomb avatar Aug 13 '09 23:08 circuitbomb