After security review done by external company one weakness has been found. Since base token is stored in session and session can have expiration days, there is possibility to store some tokens and use them for attacks (mainly on public computers - internet cafe).
Token should get regenerated after user login and logout. This can avoid most of illegal uses.
After security review done by external company one weakness has been found. Since base token is stored in session and session can have expiration days, there is possibility to store some tokens and use them for attacks (mainly on public computers - internet cafe).
Token should get regenerated after user login and logout. This can avoid most of illegal uses.