| Anonymous | Login | Signup for a new account | 2024-05-17 23:19 CDT | |
| Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories |
| Viewing Issue Simple Details [ Jump to Notes ] [ Wiki ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||
| ID | Category | Type | Reproducibility | Date Submitted | Last Update | ||
| 0000215 | [In-Portal CMS] Security | feature request | always | 2009-08-09 21:01 | 2009-10-03 07:57 | ||
| Reporter | Dmitry | View Status | public | Project Name | In-Portal CMS | ||
| Assigned To | alex | Developer | |||||
| Priority | normal | Resolution | reopened | Fixed in Version | 5.0.1 | ||
| Status | closed | Product Version | 5.0.0 | Target Version | 5.0.1 | ||
| Time Estimate | No estimate | ||||||
| Summary | 0000215: Session Security Checks | ||||||
| Description |
In order to prevent session hijacking suggest the following: 1. IP Based Validation: if (empty($_SESSION)) { // new session $_SESSION[‘ip’] = md5($_SERVER[‘REMOTE_ADDR’]); } else if ($_SESSION[‘ip’] != md5($_SERVER[‘REMOTE_ADDR’])) { session_destroy(); // destroy fake session session_start(); // create a new “clean” session } We should have make this an option using config variable. 2. Browser Signature $keys = array(‘HTTP_USER_AGENT’, ‘SERVER_PROTOCOL’, ‘HTTP_ACCEPT_CHARSET’, ‘HTTP_ACCEPT_ENCODING’, ‘HTTP_ACCEPT_LANGUAGE’); $tmp = ‘’; foreach ($keys as $v) { if (isset($_SERVER[$v])) $tmp .= $_SERVER[$v]; } $browser_sig = md5($tmp); We should have make this an option using config variable. |
||||||
| Additional Information | |||||||
| Tags | No tags attached. | ||||||
| Reference | |||||||
| Change Log Message | |||||||
| Estimate Points | 0 | ||||||
| Attached Files | |||||||
|
|
|||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|
 Relationships |
|
Notes |
|
 (0000344)Dmitry (manager) 2009-08-18 23:51 |
This has been moved to 5.0.1. I believe these 2 checks (separately) should be optional (check-boxs in Admin, OFF by default) and will make sure session owner is the same person and it's not hijacked. Admin->Website->Advanced: Session Settings, after "Keep Session alive on Browser close" a. ValidateSessionByBrowserSignature => Browser Signature Validation b. ValidateSessionByIP => IP Based Validation Also, how "Session Referrer Checking" work and if it works at all? |
 (0000369)alex (manager) 2009-09-01 13:40 |
Fix committed to 5.0.x branch. Commit Message: 1. Fixes 0000215: Session Security Checks. 2. Bug 0000034: Update English lang. Pack. |
|
(0000370) alex (manager) 2009-09-01 13:43 |
Session referrer checking worked fine, but it wasn't providing any protection against hacking, so it was replaced by two new implemented options. |
 (0000747)administrator (administrator) 2009-10-03 07:57 |
Closing issues from 5.0.1 version, because version was already released. |
|
Notes |
| Related Changesets |
|||
|
In-Portal CMS: 5.0.x r12399 Timestamp: 2009-09-01 13:40:51 Author: alex [ Details ] [ Diff ] |
1. Fixes 0000215: Session Security Checks. 2. Bug 0000034: Update English lang. Pack. |
||
| mod - /in-portal/branches/5.0.x/core/install/english.lang | [ Diff ] [ File ] | ||
| mod - /in-portal/branches/5.0.x/core/install/install_data.sql | [ Diff ] [ File ] | ||
| mod - /in-portal/branches/5.0.x/core/install/install_schema.sql | [ Diff ] [ File ] | ||
| mod - /in-portal/branches/5.0.x/core/install/upgrades.sql | [ Diff ] [ File ] | ||
| mod - /in-portal/branches/5.0.x/core/kernel/session/inp_session.php | [ Diff ] [ File ] | ||
| mod - /in-portal/branches/5.0.x/core/kernel/session/session.php | [ Diff ] [ File ] | ||
| mod - /in-portal/branches/5.0.x/core/kernel/utility/unit_config_reader.php | [ Diff ] [ File ] | ||
| Related Changesets |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-10-03 07:57 | administrator | Note Added: 0000747 | |
| 2009-10-03 07:57 | administrator | Status | resolved => closed |
| 2009-09-14 09:42 | Dmitry | Status | reviewed and tested => resolved |
| 2009-09-14 09:42 | Dmitry | Status | needs work => reviewed and tested |
| 2009-09-14 09:42 | Dmitry | Status | needs feedback => needs work |
| 2009-09-14 09:42 | Dmitry | File Deleted: sql_lacks.txt | |
| 2009-09-14 09:41 | Dmitry | Note Deleted: 0000432 | |
| 2009-09-14 09:41 | Dmitry | Note Added: 0000432 | |
| 2009-09-14 09:41 | Dmitry | Status | resolved => needs feedback |
| 2009-09-14 09:41 | Dmitry | Resolution | fixed => reopened |
| 2009-09-14 09:39 | Dmitry | File Added: sql_lacks.txt | |
| 2009-09-01 13:43 | alex | Note Added: 0000370 | |
| 2009-09-01 13:41 | alex | Fixed in Version | => 5.0.1 |
| 2009-09-01 13:40 | alex | Changeset attached | 5.0.x r12399 |
| 2009-09-01 13:40 | alex | Note Added: 0000369 | |
| 2009-09-01 13:40 | alex | Status | reviewed and tested => resolved |
| 2009-09-01 13:40 | alex | Resolution | open => fixed |
| 2009-08-18 23:51 | Dmitry | Note Added: 0000344 | |
| 2009-08-18 23:51 | Dmitry | Target Version | 5.1.0 => 5.0.1 |
| 2009-08-09 22:32 | Dmitry | Type | bug report => feature request |
| 2009-08-09 22:31 | Dmitry | Target Version | 5.0.1 => 5.1.0 |
| 2009-08-09 21:01 | Dmitry | New Issue | |
| 2009-08-09 21:01 | Dmitry | Status | active => reviewed and tested |
| 2009-08-09 21:01 | Dmitry | Assigned To | => alex |
|
Issue History |
| Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories |
Web Development by Intechnic
In-Portal Open Source CMS |
Copyright © 2000 - 2009 MantisBT Group
 |