Refactor sessions to frequently rotate
In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded.
This commit is contained in:
parent
d9b78bff69
commit
1775fac5fd
18 changed files with 168 additions and 73 deletions
17
docs/admin/config.md
Normal file
17
docs/admin/config.md
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
<!--
|
||||
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
-->
|
||||
# Configuration
|
||||
|
||||
## Environment Variables
|
||||
|
||||
### NUXT_SESSION_EXPIRES_TIMEOUT
|
||||
|
||||
Time in seconds before a session is considered expired and need to be rotated over into a new session. When an endpoint using a session is hit after the session expires but before the session is discarded a new session is created as the successor with a new expiry and discard timeout. The old session then considered to have been superceeded and any requests using the old session will result in a 403 Forbidden with the message the session has been taken.
|
||||
|
||||
### NUXT_SESSION_DISCARD_TIMEOUT
|
||||
|
||||
Time in seconds before a session is deleted from the client and server, resulting in the user having to authenticate again if the session wasn't rotated over into a new session before this timeout.
|
||||
|
||||
This should be several times greater that `NUXT_SESSION_EXPIRES_TIMEOUT`.
|
||||
Loading…
Add table
Add a link
Reference in a new issue