Difference between revisions for Users / Eo Ny




← Previous edit
Next edit →

Version1 Version2 Differences
1807 1807
1808 1808 ----
1809 1809
1810   === TODO Items (From Code Comments) ===
1811  
  1810 ===TODO Items (From Code Comments)===
1812 1811 The following improvements are planned:
1813 1812   1. **Do not store session ID in filename or DB index - store hash instead**
1814     - Improves security by not exposing IDs in storage layer
1815     - Would require hashing logic in store_* methods
  1813     - Improves security by not exposing IDs in storage layer
  1814     - Would require hashing logic in store_* methods
1816 1815   2. **Log of IP changes and other possible security alerts**
1817     - Track ##sticky__ip## changes more comprehensively
1818     - Create security audit trail
  1816     - Track ##sticky__ip## changes more comprehensively
  1817     - Create security audit trail
1819 1818   3. **Allocate internal unique session which lives through lifetime of uber-session**
1820     - Multi-session management (parent/child sessions)
1821     - Useful for complex user flows
  1819     - Multi-session management (parent/child sessions)
  1820     - Useful for complex user flows
1822 1821   4. **Do not delete old sessions, but use them as hijack pointers**
1823     - Maintain session history for analysis
1824     - Detect potential session hijacking patterns
1825     - Implement session relationship tracking
  1822     - Maintain session history for analysis
  1823     - Detect potential session hijacking patterns
  1824     - Implement session relationship tracking
1826 1825   5. **All SIDs used later than ~5secs of regenerations is hijacks**
1827     - Detect and block delayed session ID usage
1828     - Current implementation allows 5-second window
1829     - Could be more granular
  1826     - Detect and block delayed session ID usage
  1827     - Current implementation allows 5-second window
  1828     - Could be more granular
1830 1829
1831 1830 ----
1832 1831