I can’t see the whole session management.
I have now implemented this one to take care of the login process, as well as this one to protect my services from XSRF attacks.
But now, when I have this, I wonder:
- If I enable SSL, is the cookie sent before , is a secure connection created? Is this session identifier (cookie) ever protected?
- Is cookie sending for each request saved for user identification? For instance. if the user wants to view his settings to make sure that this is not a fake request that is trying to get the settings from another user. Got it, what do I mean?
I would send a session identifier for each request, compare it with the session identifier in my database and if the request token (XSRF securiy) is fine, am I executing the request - or is this too much overhead?
I'm still not quite sure that what I am doing here is 100% correct, and I want to make sure that I do not unnecessarily violate any security measures that I spent on implementation.
source
share