Am i doing enough to protect a php logged in session?
Question
I have an application which grants a user access to view a list of entries. a logged in session gets a session cookie (naturally) and uses this cookie to view results. the results are formatted in the URL like so /admin.php?page=12&results=5 where results are the number of entries to show per page and page is the page they are currently viewing. I want to know if I am doing enough to make sure that no one has hijacked my logged in a cookie in order to get the sensitive data.
[1] CORS headers deny all csrf [2] session id regenerated every 5 minutes and shuts down gracefully logging all access to invalidated sessions, logging both new session user and the last user of old session accessed. [3] ensuring cookie is ok against replay attacks
Is there anything else?
1 answers
solution1
-2 2017-08-19 00:34:00
Hi seems like you are using a "GET" request to pass data. Please use a "POST" request it is more secure and the details will not available in the URL. (Because sensitive data must not visible to others)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.