[imp] Users getting other users' login (session)?
Jie Gao
J.Gao@isu.usyd.edu.au
Thu, 5 Sep 2002 08:28:19 +1000 (EST)
On Wed, 4 Sep 2002, S. Joyce wrote:
> Greetings. A few weeks ago, there was a similar thread on this issue. I didn't see a resolution, and I've searched the list archives but am not finding information that seems germane to our instance. Randomly, and infrequently, it seems, users are able to access another user's log in and email account.
>...
I have had exactly the same report from my users in a lab situation.
> session.cookie_lifetime 0 (the default)
> session.gc_maxlifetime 1440 (the default)
> session.gc_probability 10 (up from 1--wanted more frequent clean up)
> session.save_handler files (the default)
I have since shortened session.cookie_lifetime.
I had the following setting:
; Specified here to create the session id.
session.entropy_file = /dev/urandom
; How many bytes to read from the file.
; session.entropy_length = 0
session.entropy_length = 32
and I have now increased the above to 64. But I don't know if it'll happen
again.
Regards,
Jie