Anonymous | Login | Signup for a new account | 2024-09-18 19:54 CDT |
Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories |
Viewing Issue Simple Details [ Jump to Notes ] [ Wiki ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||
ID | Category | Type | Reproducibility | Date Submitted | Last Update | ||
0000215 | [In-Portal CMS] Security | feature request | always | 2009-08-09 21:01 | 2009-10-03 07:57 | ||
Reporter | Dmitry | View Status | public | Project Name | In-Portal CMS | ||
Assigned To | alex | Developer | |||||
Priority | normal | Resolution | reopened | Fixed in Version | 5.0.1 | ||
Status | closed | Product Version | 5.0.0 | Target Version | 5.0.1 | ||
Time Estimate | No estimate | ||||||
Summary | 0000215: Session Security Checks | ||||||
Description |
In order to prevent session hijacking suggest the following: 1. IP Based Validation: if (empty($_SESSION)) { // new session $_SESSION[‘ip’] = md5($_SERVER[‘REMOTE_ADDR’]); } else if ($_SESSION[‘ip’] != md5($_SERVER[‘REMOTE_ADDR’])) { session_destroy(); // destroy fake session session_start(); // create a new “clean” session } We should have make this an option using config variable. 2. Browser Signature $keys = array(‘HTTP_USER_AGENT’, ‘SERVER_PROTOCOL’, ‘HTTP_ACCEPT_CHARSET’, ‘HTTP_ACCEPT_ENCODING’, ‘HTTP_ACCEPT_LANGUAGE’); $tmp = ‘’; foreach ($keys as $v) { if (isset($_SERVER[$v])) $tmp .= $_SERVER[$v]; } $browser_sig = md5($tmp); We should have make this an option using config variable. |
||||||
Additional Information | |||||||
Tags | No tags attached. | ||||||
Reference | |||||||
Change Log Message | |||||||
Estimate Points | 0 | ||||||
Attached Files | |||||||
|
Relationships [ Relation Graph ] [ Dependency Graph ] | |
Notes | |
(0000344) Dmitry (manager) 2009-08-18 23:51 |
This has been moved to 5.0.1. I believe these 2 checks (separately) should be optional (check-boxs in Admin, OFF by default) and will make sure session owner is the same person and it's not hijacked. Admin->Website->Advanced: Session Settings, after "Keep Session alive on Browser close" a. ValidateSessionByBrowserSignature => Browser Signature Validation b. ValidateSessionByIP => IP Based Validation Also, how "Session Referrer Checking" work and if it works at all? |
(0000369) alex (manager) 2009-09-01 13:40 |
Fix committed to 5.0.x branch. Commit Message: 1. Fixes 0000215: Session Security Checks. 2. Bug 0000034: Update English lang. Pack. |
(0000370) alex (manager) 2009-09-01 13:43 |
Session referrer checking worked fine, but it wasn't providing any protection against hacking, so it was replaced by two new implemented options. |
(0000747) administrator (administrator) 2009-10-03 07:57 |
Closing issues from 5.0.1 version, because version was already released. |
Related Changesets | |||
In-Portal CMS: 5.0.x r12399 Timestamp: 2009-09-01 13:40:51 Author: alex [ Details ] [ Diff ] |
1. Fixes 0000215: Session Security Checks. 2. Bug 0000034: Update English lang. Pack. |
||
mod - /in-portal/branches/5.0.x/core/install/english.lang | [ Diff ] [ File ] | ||
mod - /in-portal/branches/5.0.x/core/install/install_data.sql | [ Diff ] [ File ] | ||
mod - /in-portal/branches/5.0.x/core/install/install_schema.sql | [ Diff ] [ File ] | ||
mod - /in-portal/branches/5.0.x/core/install/upgrades.sql | [ Diff ] [ File ] | ||
mod - /in-portal/branches/5.0.x/core/kernel/session/inp_session.php | [ Diff ] [ File ] | ||
mod - /in-portal/branches/5.0.x/core/kernel/session/session.php | [ Diff ] [ File ] | ||
mod - /in-portal/branches/5.0.x/core/kernel/utility/unit_config_reader.php | [ Diff ] [ File ] | ||
Issue History | |||
Date Modified | Username | Field | Change |
2009-10-03 07:57 | administrator | Note Added: 0000747 | |
2009-10-03 07:57 | administrator | Status | resolved => closed |
2009-09-14 09:42 | Dmitry | Status | reviewed and tested => resolved |
2009-09-14 09:42 | Dmitry | Status | needs work => reviewed and tested |
2009-09-14 09:42 | Dmitry | Status | needs feedback => needs work |
2009-09-14 09:42 | Dmitry | File Deleted: sql_lacks.txt | |
2009-09-14 09:41 | Dmitry | Note Deleted: 0000432 | |
2009-09-14 09:41 | Dmitry | Note Added: 0000432 | |
2009-09-14 09:41 | Dmitry | Status | resolved => needs feedback |
2009-09-14 09:41 | Dmitry | Resolution | fixed => reopened |
2009-09-14 09:39 | Dmitry | File Added: sql_lacks.txt | |
2009-09-01 13:43 | alex | Note Added: 0000370 | |
2009-09-01 13:41 | alex | Fixed in Version | => 5.0.1 |
2009-09-01 13:40 | alex | Changeset attached | 5.0.x r12399 |
2009-09-01 13:40 | alex | Note Added: 0000369 | |
2009-09-01 13:40 | alex | Status | reviewed and tested => resolved |
2009-09-01 13:40 | alex | Resolution | open => fixed |
2009-08-18 23:51 | Dmitry | Note Added: 0000344 | |
2009-08-18 23:51 | Dmitry | Target Version | 5.1.0 => 5.0.1 |
2009-08-09 22:32 | Dmitry | Type | bug report => feature request |
2009-08-09 22:31 | Dmitry | Target Version | 5.0.1 => 5.1.0 |
2009-08-09 21:01 | Dmitry | New Issue | |
2009-08-09 21:01 | Dmitry | Status | active => reviewed and tested |
2009-08-09 21:01 | Dmitry | Assigned To | => alex |
Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories |
Web Development by Intechnic In-Portal Open Source CMS |