In-Portal Issue Tracker - In-Portal CMS
Viewing Issue Advanced Details
ID: Category: Type: Reproducibility: Date Submitted: Last Update:
215 [In-Portal CMS] Security feature request always 2009-08-09 21:01 2009-10-03 07:57
Reporter: Dmitry Platform:  
Assigned To: alex OS:  
Priority: normal OS Version:  
Status: closed Product Version: 5.0.0  
Product Build: Resolution: reopened  
 
ETA: none Fixed in Version: 5.0.1  
Reference:
Change Log Message:
Estimate Points: 0
Summary: 0000215: Session Security Checks
Description: In order to prevent session hijacking suggest the following:

1. IP Based Validation:

if (empty($_SESSION)) { // new session
  $_SESSION[‘ip’] = md5($_SERVER[‘REMOTE_ADDR’]);
} else if ($_SESSION[‘ip’] != md5($_SERVER[‘REMOTE_ADDR’])) {
  session_destroy(); // destroy fake session
  session_start(); // create a new “clean” session
}

We should have make this an option using config variable.


2. Browser Signature

$keys = array(‘HTTP_USER_AGENT’, ‘SERVER_PROTOCOL’,
‘HTTP_ACCEPT_CHARSET’, ‘HTTP_ACCEPT_ENCODING’, ‘HTTP_ACCEPT_LANGUAGE’);
$tmp = ‘’;
foreach ($keys as $v) {
  if (isset($_SERVER[$v])) $tmp .= $_SERVER[$v];
}
$browser_sig = md5($tmp);

We should have make this an option using config variable.
Steps To Reproduce:
Additional Information:
Relationships
Attached Files:
Issue History
Date Modified Username Field Change
2009-10-03 07:57 administrator Note Added: 0000747
2009-10-03 07:57 administrator Status resolved => closed
2009-09-14 09:42 Dmitry Status reviewed and tested => resolved
2009-09-14 09:42 Dmitry Status needs work => reviewed and tested
2009-09-14 09:42 Dmitry Status needs feedback => needs work
2009-09-14 09:42 Dmitry File Deleted: sql_lacks.txt
2009-09-14 09:41 Dmitry Note Deleted: 0000432
2009-09-14 09:41 Dmitry Note Added: 0000432
2009-09-14 09:41 Dmitry Status resolved => needs feedback
2009-09-14 09:41 Dmitry Resolution fixed => reopened
2009-09-14 09:39 Dmitry File Added: sql_lacks.txt
2009-09-01 13:43 alex Note Added: 0000370
2009-09-01 13:41 alex Fixed in Version => 5.0.1
2009-09-01 13:40 alex Changeset attached 5.0.x r12399
2009-09-01 13:40 alex Note Added: 0000369
2009-09-01 13:40 alex Status reviewed and tested => resolved
2009-09-01 13:40 alex Resolution open => fixed
2009-08-18 23:51 Dmitry Note Added: 0000344
2009-08-18 23:51 Dmitry Target Version 5.1.0 => 5.0.1
2009-08-09 22:32 Dmitry Type bug report => feature request
2009-08-09 22:31 Dmitry Target Version 5.0.1 => 5.1.0
2009-08-09 21:01 Dmitry New Issue
2009-08-09 21:01 Dmitry Status active => reviewed and tested
2009-08-09 21:01 Dmitry Assigned To => alex

Notes
(0000344)
Dmitry   
2009-08-18 23:51   
This has been moved to 5.0.1.

I believe these 2 checks (separately) should be optional (check-boxs in Admin, OFF by default) and will make sure session owner is the same person and it's not hijacked.

Admin->Website->Advanced: Session Settings, after "Keep Session alive on Browser close"

a. ValidateSessionByBrowserSignature => Browser Signature Validation
b. ValidateSessionByIP => IP Based Validation


Also, how "Session Referrer Checking" work and if it works at all?
(0000369)
alex   
2009-09-01 13:40   
Fix committed to 5.0.x branch. Commit Message:

1. Fixes 0000215: Session Security Checks.
2. Bug 0000034: Update English lang. Pack.
(0000370)
alex   
2009-09-01 13:43   
Session referrer checking worked fine, but it wasn't providing any protection against hacking, so it was replaced by two new implemented options.
(0000747)
administrator   
2009-10-03 07:57   
Closing issues from 5.0.1 version, because version was already released.