Add session hijacking mitigation configuration #564
Conversation
|
Cmon @Ocramius |
Slamdunk
changed the title
|
Ping @Ocramius |
There was a problem hiding this comment.
Overall, patch direction improved massively.
My feedback is mostly highlighting problems without proposing real alternatives at the moment, since I mostly focused on providing some feedback at first.
I believe we can discuss this on a call again, but the fact that most validation is now handled inside lcobuccci/jwt is really good.
Things I don't like:
- current ergonomics and docs (mostly, because we're uncovering issues due to lack of a config builder)
- introduction of
sodium_stuff that we'll have to maintain, where a simplesha1is already effective - reliance on
$_SERVERwhere reading a header would be preferable - reliance on
REMOTE_ADDRwhere unreliable
| interface Source | ||
| { | ||
| /** @return non-empty-string */ | ||
| public function extractFrom(ServerRequestInterface $request): string; |
There was a problem hiding this comment.
This interface requires some documentation: taken as-is, it is not very clear what it does.
Also, could it be that it cannot extract information from $request?
| /** @immutable */ | ||
| final class RemoteAddr implements Source | ||
| { | ||
| public const REQUEST_ATTRIBUTE_NAME = 'REMOTE_ADDR'; |
There was a problem hiding this comment.
There is a problem with relying on REMOTE_ADDR: it does not consider any proxies. If we assume that there's an upfront middleware that clears all this information, that's fine, but this Source is unreliable when the middleware is deployed independently, and put behind a reverse proxy.
There was a problem hiding this comment.
The only thing this library can do about that is documentation:
https://github.com/psr7-sessions/storageless/tree/9.0.x#session-hijacking-mitigation
|
Done :-) |
Slamdunk
force-pushed
the
hijacking_mitigation
branch
from
4929d6a to
371336e
Compare
No description provided.