In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!
Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories
  

Relationship Graph View Issue ] Dependency Graph ]
related to child of duplicate of

Viewing Issue Simple Details
ID Category Type Reproducibility Date Submitted Last Update
0000215 [In-Portal CMS] Security feature request always 2009-08-09 21:01 2009-10-03 07:57
Reporter Dmitry View Status public  
Assigned To alex
Priority normal Resolution reopened  
Status closed      
Summary 0000215: Session Security Checks
Description In order to prevent session hijacking suggest the following:

1. IP Based Validation:

if (empty($_SESSION)) { // new session
  $_SESSION[‘ip’] = md5($_SERVER[‘REMOTE_ADDR’]);
} else if ($_SESSION[‘ip’] != md5($_SERVER[‘REMOTE_ADDR’])) {
  session_destroy(); // destroy fake session
  session_start(); // create a new “clean” session
}

We should have make this an option using config variable.


2. Browser Signature

$keys = array(‘HTTP_USER_AGENT’, ‘SERVER_PROTOCOL’,
‘HTTP_ACCEPT_CHARSET’, ‘HTTP_ACCEPT_ENCODING’, ‘HTTP_ACCEPT_LANGUAGE’);
$tmp = ‘’;
foreach ($keys as $v) {
  if (isset($_SERVER[$v])) $tmp .= $_SERVER[$v];
}
$browser_sig = md5($tmp);

We should have make this an option using config variable.
Additional Information

Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories
  

Web Development by Intechnic
In-Portal Open Source CMS
In-Portal Open Source CMS
Copyright © 2000 - 2009 MantisBT Group

Powered by Mantis Bugtracker