In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!

Viewing Issue Simple Details Jump to Notes ] Wiki ] View Advanced ] Issue History ] Print ]
ID Category Type Reproducibility Date Submitted Last Update
0000215 [In-Portal CMS] Security feature request always 2009-08-09 21:01 2009-10-03 07:57
Reporter Dmitry View Status public Project Name In-Portal CMS
Assigned To alex Developer
Priority normal Resolution reopened Fixed in Version 5.0.1
Status closed Product Version 5.0.0 Target Version 5.0.1
Time EstimateNo estimate
Summary 0000215: Session Security Checks
Description In order to prevent session hijacking suggest the following:

1. IP Based Validation:

if (empty($_SESSION)) { // new session
  $_SESSION[‘ip’] = md5($_SERVER[‘REMOTE_ADDR’]);
} else if ($_SESSION[‘ip’] != md5($_SERVER[‘REMOTE_ADDR’])) {
  session_destroy(); // destroy fake session
  session_start(); // create a new “clean” session
}

We should have make this an option using config variable.


2. Browser Signature

$keys = array(‘HTTP_USER_AGENT’, ‘SERVER_PROTOCOL’,
‘HTTP_ACCEPT_CHARSET’, ‘HTTP_ACCEPT_ENCODING’, ‘HTTP_ACCEPT_LANGUAGE’);
$tmp = ‘’;
foreach ($keys as $v) {
  if (isset($_SERVER[$v])) $tmp .= $_SERVER[$v];
}
$browser_sig = md5($tmp);

We should have make this an option using config variable.

Additional Information
Tags No tags attached.
Reference
Change Log Message
Estimate Points 0
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0000344)
Dmitry (manager)
2009-08-18 23:51

This has been moved to 5.0.1.

I believe these 2 checks (separately) should be optional (check-boxs in Admin, OFF by default) and will make sure session owner is the same person and it's not hijacked.

Admin->Website->Advanced: Session Settings, after "Keep Session alive on Browser close"

a. ValidateSessionByBrowserSignature => Browser Signature Validation
b. ValidateSessionByIP => IP Based Validation


Also, how "Session Referrer Checking" work and if it works at all?
User avatar (0000369)
alex (manager)
2009-09-01 13:40

Fix committed to 5.0.x branch. Commit Message:

1. Fixes 0000215: Session Security Checks.
2. Bug 0000034: Update English lang. Pack.
User avatar (0000370)
alex (manager)
2009-09-01 13:43

Session referrer checking worked fine, but it wasn't providing any protection against hacking, so it was replaced by two new implemented options.
User avatar (0000747)
administrator (administrator)
2009-10-03 07:57

Closing issues from 5.0.1 version, because version was already released.

- Related Changesets
In-Portal CMS: 5.0.x r12399
Timestamp: 2009-09-01 13:40:51
Author: alex
Details ] Diff ]
1. Fixes 0000215: Session Security Checks.
2. Bug 0000034: Update English lang. Pack.
mod - /in-portal/branches/5.0.x/core/install/english.lang Diff ] File ]
mod - /in-portal/branches/5.0.x/core/install/install_data.sql Diff ] File ]
mod - /in-portal/branches/5.0.x/core/install/install_schema.sql Diff ] File ]
mod - /in-portal/branches/5.0.x/core/install/upgrades.sql Diff ] File ]
mod - /in-portal/branches/5.0.x/core/kernel/session/inp_session.php Diff ] File ]
mod - /in-portal/branches/5.0.x/core/kernel/session/session.php Diff ] File ]
mod - /in-portal/branches/5.0.x/core/kernel/utility/unit_config_reader.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2009-10-03 07:57 administrator Note Added: 0000747
2009-10-03 07:57 administrator Status resolved => closed
2009-09-14 09:42 Dmitry Status reviewed and tested => resolved
2009-09-14 09:42 Dmitry Status needs work => reviewed and tested
2009-09-14 09:42 Dmitry Status needs feedback => needs work
2009-09-14 09:42 Dmitry File Deleted: sql_lacks.txt
2009-09-14 09:41 Dmitry Note Deleted: 0000432
2009-09-14 09:41 Dmitry Note Added: 0000432
2009-09-14 09:41 Dmitry Status resolved => needs feedback
2009-09-14 09:41 Dmitry Resolution fixed => reopened
2009-09-14 09:39 Dmitry File Added: sql_lacks.txt
2009-09-01 13:43 alex Note Added: 0000370
2009-09-01 13:41 alex Fixed in Version => 5.0.1
2009-09-01 13:40 alex Changeset attached 5.0.x r12399
2009-09-01 13:40 alex Note Added: 0000369
2009-09-01 13:40 alex Status reviewed and tested => resolved
2009-09-01 13:40 alex Resolution open => fixed
2009-08-18 23:51 Dmitry Note Added: 0000344
2009-08-18 23:51 Dmitry Target Version 5.1.0 => 5.0.1
2009-08-09 22:32 Dmitry Type bug report => feature request
2009-08-09 22:31 Dmitry Target Version 5.0.1 => 5.1.0
2009-08-09 21:01 Dmitry New Issue
2009-08-09 21:01 Dmitry Status active => reviewed and tested
2009-08-09 21:01 Dmitry Assigned To => alex



Web Development by Intechnic
In-Portal Open Source CMS
In-Portal Open Source CMS
Copyright © 2000 - 2009 MantisBT Group

Powered by Mantis Bugtracker