Difference between revisions for Users / Eo Ny
|
← Previous edit
|
Next edit →
|
| Version1 | Version2 | ||
|---|---|---|---|
| 1807 | 1807 | ||
| 1808 | ---- | 1808 | ---- |
| 1809 | 1809 | ||
| 1810 | === TODO Items (From Code Comments) === | 1810 | ===TODO Items (From Code Comments)=== |
| 1811 | |||
| 1812 | The following improvements are planned: | 1811 | The following improvements are planned: |
| 1813 | 1. **Do not store session ID in filename or DB index - store hash instead** | 1812 | 1. **Do not store session ID in filename or DB index - store hash instead** |
| 1814 |
|
1813 | - Improves security by not exposing IDs in storage layer |
| 1815 |
|
1814 | - Would require hashing logic in store_* methods |
| 1816 | 2. **Log of IP changes and other possible security alerts** | 1815 | 2. **Log of IP changes and other possible security alerts** |
| 1817 |
|
1816 | - Track ##sticky__ip## changes more comprehensively |
| 1818 |
|
1817 | - Create security audit trail |
| 1819 | 3. **Allocate internal unique session which lives through lifetime of uber-session** | 1818 | 3. **Allocate internal unique session which lives through lifetime of uber-session** |
| 1820 |
|
1819 | - Multi-session management (parent/child sessions) |
| 1821 |
|
1820 | - Useful for complex user flows |
| 1822 | 4. **Do not delete old sessions, but use them as hijack pointers** | 1821 | 4. **Do not delete old sessions, but use them as hijack pointers** |
| 1823 |
|
1822 | - Maintain session history for analysis |
| 1824 |
|
1823 | - Detect potential session hijacking patterns |
| 1825 |
|
1824 | - Implement session relationship tracking |
| 1826 | 5. **All SIDs used later than ~5secs of regenerations is hijacks** | 1825 | 5. **All SIDs used later than ~5secs of regenerations is hijacks** |
| 1827 |
|
1826 | - Detect and block delayed session ID usage |
| 1828 |
|
1827 | - Current implementation allows 5-second window |
| 1829 |
|
1828 | - Could be more granular |
| 1830 | 1829 | ||
| 1831 | ---- | 1830 | ---- |
| 1832 | 1831 | ||