Comments (3)
from session.
I am about to hop on a plane, and will be slow to respond all week.
So, quickly
- We don't support session ID in URLs any more. So the session fixation problem goes away.
- As noted auth is separate to session
- Protecting against XSS is the app's concern, but, with MVC we encode everything by default. So, setting the cookie via XSS is unlikely, unless the developer has bypassed all our protection, at which point there's no helping them.
- Man in the middle attacks - use HTTPS
If you want Andre's protection then by all means add his package, but I don't see the need to implement that sort of approach ourselves.
from session.
Closing based on @blowdart's comment. @alexdresko, please let us know if you have other questions.
from session.
Related Issues (20)
- Remove obsolete options APIs HOT 3
- Update session to configure DistributedMemoryCache options by default HOT 3
- Add logging scope for session HOT 2
- Random "Accessing expired session" warning HOT 4
- Error closing the session with .net 2.1.0-preview1 HOT 12
- Any plans for maximum session size property? HOT 2
- [1.1.4] Flaky test: SessionTests.SessionLogsCacheRefreshException HOT 6
- System.OperationCanceledException at Microsoft.Extensions.Caching.Redis.RedisCache+<RefreshAsync>d__25.MoveNext HOT 4
- cant access Session in other API HOT 5
- Error closing the session HOT 1
- [Patch 2.0.x] Downgrade cancellation logs HOT 1
- Add EventSource/EventCounter tracing and metrics for Session HOT 1
- Session does not work with Redis when the client has HTTP keep-alives disabled HOT 6
- Session cannot be re-loaded HOT 8
- Determine if the session cookie is considered essential HOT 1
- THIS ISSUE TRACKER IS CLOSED - use the Home repo issue tracker
- Session OnStart and Session OnEnd HOT 8
- How to get number of session HOT 3
- Re-initialize Session middleware from controller HOT 2
- How to add a custom session in .net core? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from session.