Tagged Questions
1
vote
1answer
8 views
Making JSESSIONID secure creating an issue for login issue from no-secure context
I have secured JSESSIONID and also make it HttpOnly. Now problem comes, I can not able to login in my application from unsecured page(http protocol). Is there any way to move from secure page(https) ...
0
votes
2answers
38 views
Customizable redirection via session: unsecure and can be improved?
I am modifying Opencart which contains several modules represented by PHP pages. However my question applies to any case that involves the following. So no need to make this an opencart specific ...
0
votes
0answers
52 views
Is this a secure way to keep a user logged in? [closed]
I'm trying to keep a user logged in securely, while connecting to the DB as little as possible (for performance).
Here's how the user's sessions are currently being managed:
On login, the User() ...
1
vote
1answer
53 views
PHP refferal by link script. Is mine secure? Do you know any better ones?
I want to reward users if they refer a friend. I've been using the following code to do it, but I'm worried that it might not be secure (users make fake accounts to game it). Can I improve this code? ...
3
votes
2answers
57 views
Is it safe to use the session id as a filename in PHP?
In an PHP web application, I am using the session id as a filename. At a certain point, these files are deleted, with code like
unlink('tmp/'.session_id());
I am aware of the fact that a user ...
1
vote
1answer
42 views
HTTP pages are removing my secure cookies
I have a site with mixed HTTP / HTTPS. When the user logs in, she gets two cookies:
a regular cookie with her (signed) username, login expire time, and an "insecure" flag
a secure cookie with her ...
0
votes
1answer
35 views
Secure URL functions?
My company's website just got hacked, and I'm now restoring the website with extra caution. The company wants the site up as soon as possible so I don't have enough time to actually re-code the ...
0
votes
2answers
81 views
is it secure to save password in cookie or its better to save it in database
i currently save my password in database and check it with session cookie but it make authenthication of user so slow and since i have many users i bought a ssl certificate for my website and i need ...
0
votes
1answer
30 views
Let the csrf token expire in the user session after 15 minutes or remove it directly?
Today i've added crsf protection in my webapplication.
When a html for is printed i generated random token and put it in a hidden field and in user session.
When form is submitted i read hidden ...
-2
votes
1answer
28 views
If user in session, copies and pastes url in another window, the app should get logged out
I am working on a financial web application.
There is a client requirement that if user is logged in and already browsing the app. If he copies and pastes the browser url to another window. In ...
1
vote
1answer
146 views
Why Doesn't Asp.Net Session.Clear() Work On Close Tab When I See It Run?
I have been attempting to get a clean break from a session when a tab is closed for a workplace system used by supervisors and others. I am successful when the person logs out - all is cleared. ...
0
votes
1answer
32 views
Security of sessions in ASP.NET
If I do the following in one of my .aspx pages:
Session["MySess123"] = "Some plain text";
and then read it from another .ashx page:
string str = Session["MySess123"].ToString();
Will Some plain ...
0
votes
0answers
48 views
Can not protect a websocket enpoint with the @Security.Authenticated-Annotation
I want to protect my websocket endpoint with security class by the @Security.Authenticated-Annotation. But this isn't possible.
My purpose is that only clients which are logged in and have a valid ...
3
votes
3answers
68 views
is there a better way of protecting specific webpages?
I have a website where only a user with admin privileges can view certain pages. When I login logging into my admin account $_session["is_admin"] = true is set. Then on the pages that I want only ...
0
votes
2answers
67 views
Security vulnerability from saving user info in PHP sessions?
I am creating a RESTful API-centric web application. Once a user logs in they will receive a session id and login key that will be used for accessing their data until their session expires. The web ...
