Session hijacking prevention #1521

nadar · 2017-09-26T14:18:25Z

In order to prevent session hijacking bind session id to current ip adresse in database and make sure its the same on each request.

nadar · 2017-10-04T07:06:27Z

Due to yii2-debug toolbar which implements the user panel and trys to regenerate the session in yii\web\User unexpected logouts appear.

nadar · 2017-10-09T06:59:58Z

In order to conflict with the yii2 web user behavior:

admin user logins add new flag is_destroyed
check only for instance from the user ip where is destroyed not false.

#1521

nadar added the enhancement label Sep 26, 2017

nadar added this to the 1.0.0 milestone Sep 26, 2017

nadar self-assigned this Sep 26, 2017

nadar added a commit that referenced this issue Sep 26, 2017

add new session and ip check on each login request #1521

7a4d453

nadar added a commit that referenced this issue Sep 26, 2017

logout when request is 403 or 405 in addition to 401 #1521

9a168d3

nadar closed this as completed in 248b696 Oct 2, 2017

nadar reopened this Oct 2, 2017

nadar added a commit that referenced this issue Oct 2, 2017

add host based secure variables #1521

e75f314

nadar changed the title ~~Prevent session hijacking prevention~~ Session hijacking prevention Oct 4, 2017

nadar added a commit that referenced this issue Oct 9, 2017

fixed issue with session hijack prevention, token is now bound to an ip.

2702dcb

#1521

nadar added the wip:require_testing label Oct 9, 2017

nadar closed this as completed Oct 17, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Session hijacking prevention #1521

Session hijacking prevention #1521

nadar commented Sep 26, 2017

nadar commented Oct 4, 2017 •

edited

Loading

nadar commented Oct 9, 2017

Session hijacking prevention #1521

Session hijacking prevention #1521

Comments

nadar commented Sep 26, 2017

nadar commented Oct 4, 2017 • edited Loading

nadar commented Oct 9, 2017

nadar commented Oct 4, 2017 •

edited

Loading