I am creating this webapp where users can create their own online presentation using html and javascript (these downloads will be on AWS S3, and not on the server itself). They connect their domain name to the application. I have the following setting, but who knows if this is the safest setting in terms of security and / or what constitutes a risk, thanks for the help!
Global setting
When a user logs in to the admin from a domain other than sl ( http://userdomain.com ), the login form automatically displays the credentials for the SSL login domain ( https://logindomain.com )
The logindomain.com log also verifies when a new PHP session successfully starts. Session is valid only for userdomain.com. Session_id is also stored in the database for this user account.
Then this session_id is sent to userdomain.com via $ _GET (with two-way encryption)
Add userdomain.com, sended session_id is checked on the user account in the database, and if normal, a new session starts based on this session_id. When a new session is completed, session_id is regenerated and updated in the database. This session is valid for a limited time (in terms of the session timeout, but also in the database).
Then the user is redirected to the application (non-ssl) because he is registered
On each page, the user's session is checked in the database based on session_id and the actual timewindow.
The server is not a public installation of hosting, so there are no other virtual hosts that share sesssion data.
Is this login setting safe or how can it be made more secure?
Thanks! Greetings
column Dennis
source share