AUTH
PHP htmlspecialchars()
https://humanwhocodes.com/blog/2009/05/12/cookies-and-security/
https://auth0.com/docs/best-practices/token-best-practices
Session hijacking attacks:
- only send cookies over SSL
- generate a session key in some random fashion and/or a way that is based on information about the user (username, IP address, time of login, etc.)
XSS attacks:
- Don’t include JavaScript from untrusted domains. The CDNs of large companies such as Yahoo!, Google, and AOL should be safe; use extreme caution when including from other locations.
- Filter out HTML from all user input or otherwise sanitize the input. Never accept user input and output onto a page without some sort of filtering.