All Questions
13 questions
1vote
1answer
552views
Should I store session id in server database?
I wanted to implement login system using flask framework. I managed to do this using sessions and set them to expire after 31 days and it works (sessions are created using server secret key, timestamp ...
1vote
4answers
119views
How can I store an user's capabilities to boost performance while allowing real-time updates of said capabilities?
I'm ingesting 150 objects that each require an user capabilities check, the function isUserAdmin tells me whether or not an user is an admin or not. Inside this function, there's a lot of deeper ...
- 85
0votes
0answers
59views
Is it a good practice to store session in two different places?
I have a use case like this and I am wondering if this solution is a good practice or not. Say I have a website called dashboard.com and this is only for US region. When users login here, I am ...
2votes
2answers
687views
Security Issues with RESTful Authentication & Session Management
I'm trying to implement authentication and session management for a microservice. In order to do the process RESTfully, I understand that I'll need to use some kind of token-based authentication to ...
- 131
4votes
2answers
4kviews
Managing session timeouts with regards to user activity in the page
So I will be creating a feature to a php application that does the following: Create a session that expires after 30 minutes. After 30 minutes, if there is no user activity in the application (...
1vote
2answers
2kviews
Refreshing a token best practice
I have been asked to implement refreshing a token. A token ID is the same as a session ID. I have considered resetting the session's idle time to 0 and continue using the same session ID for the ...
- 305
-1votes
1answer
285views
Cookie name security
Is it a security hole to name each session with the username of the user currently logged in? example: //Alice has login sessions_name('Alice'); sessions_start(); //Alice has login //When Bob Logs ...
2votes
1answer
391views
How do you implement an active sessions system like LinkedIn? [closed]
With some platforms, like LinkedIn, you can see a list of all sessions where you are logged in, and you can even log them out on a distance. How would you implement something like that? I'm not ...
- 454
1vote
0answers
532views
How to validate information on server without using database or session
Each user has multiple sites they can access reporting data for in an application I am working on. To prevent having to go to the database on every single request, I validate that they have access to ...
8votes
4answers
13kviews
How to store Role Based Access rights in web application?
Currently working on a web based CRM type system that deals with various Modules such as Companies, Contacts, Projects, Sub Projects, etc. A typical CRM type system (asp.net web form, C#, SQL Server ...
- 308
2votes
1answer
1kviews
User Authentication & Session Management
One of the fundamental ways of handling user login authentication & session management is by storing variables in Session space plus setting some data in cookies on client computer while sometimes ...
- 472
4votes
0answers
3kviews
Connecting with OAuth, dealing with logout and browser sessions
I work on a open-source web application (Moodle) which connects to a number of external services such as Google Drive, Dropbox etc. to allow users to exchange files with these services. Primarily we ...
-1votes
2answers
788views
should F12's request headers show session id as cookie?
I'm trying to educate myself on potential web attacks. I just found a site (which will rename anonymous) where it shows me what looks to be like the php session id inside the cookies section of the ...
- 571
