Anonymous | Login | Signup for a new account | 2024-09-18 20:10 CDT |
Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories |
Dependency Graph | [ View Issue ] [ Relation Graph ] [ Horizontal ] | |||
|
||||
|
Viewing Issue Simple Details | |||||
ID | Category | Type | Reproducibility | Date Submitted | Last Update |
0000215 | [In-Portal CMS] Security | feature request | always | 2009-08-09 21:01 | 2009-10-03 07:57 |
Reporter | Dmitry | View Status | public | ||
Assigned To | alex | ||||
Priority | normal | Resolution | reopened | ||
Status | closed | ||||
Summary | 0000215: Session Security Checks | ||||
Description |
In order to prevent session hijacking suggest the following: 1. IP Based Validation: if (empty($_SESSION)) { // new session $_SESSION[‘ip’] = md5($_SERVER[‘REMOTE_ADDR’]); } else if ($_SESSION[‘ip’] != md5($_SERVER[‘REMOTE_ADDR’])) { session_destroy(); // destroy fake session session_start(); // create a new “clean” session } We should have make this an option using config variable. 2. Browser Signature $keys = array(‘HTTP_USER_AGENT’, ‘SERVER_PROTOCOL’, ‘HTTP_ACCEPT_CHARSET’, ‘HTTP_ACCEPT_ENCODING’, ‘HTTP_ACCEPT_LANGUAGE’); $tmp = ‘’; foreach ($keys as $v) { if (isset($_SERVER[$v])) $tmp .= $_SERVER[$v]; } $browser_sig = md5($tmp); We should have make this an option using config variable. |
||||
Additional Information |
Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories |
Web Development by Intechnic In-Portal Open Source CMS |