Difference between revisions for Users / Eo Ny




← Previous edit
Next edit →

Version1 Version2 Differences
1 1 == Session Management Technical Documentation ==
2 2 {{toc numerate=1}}
  3  
3 4 === Overview ===
4 5
5 6 The ##Session## class is an abstract session management system for WackoWiki that extends ##ArrayObject## to provide secure, configurable session handling. It implements sophisticated security features including session ID regeneration, anti-replay protection, nonce verification, and user agent/IP validation.
1806 1807
1807 1808 ----
1808 1809
1809   === TODO Items (From Code Comments) ===
1810  
  1810 ===TODO Items (From Code Comments)===
1811 1811 The following improvements are planned:
1812 1812   1. **Do not store session ID in filename or DB index - store hash instead**
1813     - Improves security by not exposing IDs in storage layer
1814     - Would require hashing logic in store_* methods
  1813     - Improves security by not exposing IDs in storage layer
  1814     - Would require hashing logic in store_* methods
1815 1815   2. **Log of IP changes and other possible security alerts**
1816     - Track ##sticky__ip## changes more comprehensively
1817     - Create security audit trail
  1816     - Track ##sticky__ip## changes more comprehensively
  1817     - Create security audit trail
1818 1818   3. **Allocate internal unique session which lives through lifetime of uber-session**
1819     - Multi-session management (parent/child sessions)
1820     - Useful for complex user flows
  1819     - Multi-session management (parent/child sessions)
  1820     - Useful for complex user flows
1821 1821   4. **Do not delete old sessions, but use them as hijack pointers**
1822     - Maintain session history for analysis
1823     - Detect potential session hijacking patterns
1824     - Implement session relationship tracking
  1822     - Maintain session history for analysis
  1823     - Detect potential session hijacking patterns
  1824     - Implement session relationship tracking
1825 1825   5. **All SIDs used later than ~5secs of regenerations is hijacks**
1826     - Detect and block delayed session ID usage
1827     - Current implementation allows 5-second window
1828     - Could be more granular
  1826     - Detect and block delayed session ID usage
  1827     - Current implementation allows 5-second window
  1828     - Could be more granular
1829 1829
1830 1830 ----
1831 1831
1852 1852
1853 1853 ----
1854 1854
1855   === Version History ===
  1855 ===Version History===
1856 1856   - **Current**: Abstract session class with security features
1857 1857   - **Planned**: Implementation of TODO items above
1858 1858
1859 1859 ----
1860     *Documentation generated: 2026-05-05*
1861     *For latest updates, see: https://github.com/Trojer/wackowiki/blob/main/docs/SESSION_DOCUMENTATION.md*
  1860 **Documentation generated: 2026-05-05**
  1861 **For latest updates, see: https://github.com/Trojer/wackowiki/blob/main/docs/SESSION_DOCUMENTATION.md**