Session
Session Hijacking Protection
Same site cookie recipe,
Set-Cookie: session_id=278283910977381992837; HttpOnly; Secure; SameSite=Lax:
- Prevent XSS cookie theft,
disable JavaScript access to cookie:
Set-Cookie: session_id=278283910977381992837; HttpOnly. - Prevent CSRF cookie theft,
enable same-origin policy, only allow cookie on
GETrequest (social media sharing):Set-Cookie: session_id=278283910977381992837; SameSite=Lax. - Prevent man-in-the-middle attack,
use HTTPS connection:
Set-Cookie: session_id=278283910977381992837; Secure.
Session Fixation Protection
在 HTTP Cookie 中传输复杂的 session ID, 并在成功连接/恶意篡改后重置 session ID:
- Not passing session ID in
queryString/requestBody: 跳转至第三方链接时, 会在Refererheader 处泄露 session ID, passing them in HTTP Cookie. 同样地, 不允许在 URL query 处放置任何其他敏感数据 (如 token). - Generate complex session ID.
- 认证成功前不在会话变量中存储敏感信息.
- Reset session ID after set up session successfully.
- Reset session ID after it's been changed manually on client (
Set-Cookie):- IP.
- Device.
- User agent.
req.session.regenerate((err) => {
process(err)
})
const generateSessionId = session => uid(24)