Jared Vititoe
e801eee6ee
Session security improvements in AuthMiddleware: 1. Secure Cookie Configuration: - HttpOnly flag prevents JavaScript access to session cookies - Secure flag requires HTTPS (protects from MITM) - SameSite=Strict prevents CSRF via cookie inclusion - Strict mode rejects uninitialized session IDs 2. Session Fixation Prevention: - session_regenerate_id(true) called after successful authentication - Old session ID destroyed, new one generated - Prevents attacker from using pre-set session ID 3. CSRF Token Regeneration: - New CSRF token generated on login - Ensures fresh token for each session These changes protect against session hijacking, fixation, and cross-site attacks while maintaining existing 5-hour timeout. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
7.7 KiB
7.7 KiB