fixing some security issues and harderning service

app-code/api/login/check_passkey.php

@@ -1,5 +1,8 @@
 <?php
 header('Content-Type: application/json');
+include "../utils/security.php";
+secure_session_start();
+require_same_origin_request();
 require_once 'WebAuthn.php';
 include "../../config/config.php";
 $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
@@ -9,8 +12,6 @@ if ($conn->connect_error) {
 }
 
 try {
-    session_start();
-
     // read get argument and post body
     $fn = filter_input(INPUT_GET, 'fn');
     $requireResidentKey = !!filter_input(INPUT_GET, 'requireResidentKey');
@@ -144,6 +145,7 @@ try {
 		$_SESSION["mfa_authenticated"]=1;
 		$_SESSION["pw_authenticated"]=1;
 		$_SESSION["passkey_authenticated"]=1;
+		session_regenerate_id(true);
 		$return = new stdClass();
 		$return->success = true;