In-Portal Issue Tracker - In-Portal CMS
|
|||||
Viewing Issue Advanced Details | |||||
|
|||||
ID: | Category: | Type: | Reproducibility: | Date Submitted: | Last Update: |
215 | [In-Portal CMS] Security | feature request | always | 2009-08-09 21:01 | 2009-10-03 07:57 |
|
|||||
Reporter: | Dmitry | Platform: | |||
Assigned To: | alex | OS: | |||
Priority: | normal | OS Version: | |||
Status: | closed | Product Version: | 5.0.0 | ||
Product Build: | Resolution: | reopened | |||
ETA: | none | Fixed in Version: | 5.0.1 | ||
Reference: | |||||
Change Log Message: | |||||
Estimate Points: | 0 | ||||
|
|||||
Summary: | 0000215: Session Security Checks | ||||
Description: |
In order to prevent session hijacking suggest the following: 1. IP Based Validation: if (empty($_SESSION)) { // new session $_SESSION[‘ip’] = md5($_SERVER[‘REMOTE_ADDR’]); } else if ($_SESSION[‘ip’] != md5($_SERVER[‘REMOTE_ADDR’])) { session_destroy(); // destroy fake session session_start(); // create a new “clean” session } We should have make this an option using config variable. 2. Browser Signature $keys = array(‘HTTP_USER_AGENT’, ‘SERVER_PROTOCOL’, ‘HTTP_ACCEPT_CHARSET’, ‘HTTP_ACCEPT_ENCODING’, ‘HTTP_ACCEPT_LANGUAGE’); $tmp = ‘’; foreach ($keys as $v) { if (isset($_SERVER[$v])) $tmp .= $_SERVER[$v]; } $browser_sig = md5($tmp); We should have make this an option using config variable. |
||||
Steps To Reproduce: | |||||
Additional Information: | |||||
Relationships | |||||
Attached Files: | |||||
|
|||||
Issue History | |||||
Date Modified | Username | Field | Change | ||
2009-10-03 07:57 | administrator | Note Added: 0000747 | |||
2009-10-03 07:57 | administrator | Status | resolved => closed | ||
2009-09-14 09:42 | Dmitry | Status | reviewed and tested => resolved | ||
2009-09-14 09:42 | Dmitry | Status | needs work => reviewed and tested | ||
2009-09-14 09:42 | Dmitry | Status | needs feedback => needs work | ||
2009-09-14 09:42 | Dmitry | File Deleted: sql_lacks.txt | |||
2009-09-14 09:41 | Dmitry | Note Deleted: 0000432 | |||
2009-09-14 09:41 | Dmitry | Note Added: 0000432 | |||
2009-09-14 09:41 | Dmitry | Status | resolved => needs feedback | ||
2009-09-14 09:41 | Dmitry | Resolution | fixed => reopened | ||
2009-09-14 09:39 | Dmitry | File Added: sql_lacks.txt | |||
2009-09-01 13:43 | alex | Note Added: 0000370 | |||
2009-09-01 13:41 | alex | Fixed in Version | => 5.0.1 | ||
2009-09-01 13:40 | alex | Changeset attached | 5.0.x r12399 | ||
2009-09-01 13:40 | alex | Note Added: 0000369 | |||
2009-09-01 13:40 | alex | Status | reviewed and tested => resolved | ||
2009-09-01 13:40 | alex | Resolution | open => fixed | ||
2009-08-18 23:51 | Dmitry | Note Added: 0000344 | |||
2009-08-18 23:51 | Dmitry | Target Version | 5.1.0 => 5.0.1 | ||
2009-08-09 22:32 | Dmitry | Type | bug report => feature request | ||
2009-08-09 22:31 | Dmitry | Target Version | 5.0.1 => 5.1.0 | ||
2009-08-09 21:01 | Dmitry | New Issue | |||
2009-08-09 21:01 | Dmitry | Status | active => reviewed and tested | ||
2009-08-09 21:01 | Dmitry | Assigned To | => alex |
Notes | |||||
|
|||||
|
|
||||
|
|||||
|
|
||||
|
|||||
|
|
||||
|
|||||
|
|