[imp] Users getting other users' login (session)?

Jie Gao J.Gao@isu.usyd.edu.au
Thu, 5 Sep 2002 08:28:19 +1000 (EST)

Previous message: [imp] Users getting other users' login (session)?
Next message: [imp] Question with regard to apache and php for IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 4 Sep 2002, S. Joyce wrote:

> Greetings.  A few weeks ago, there was a similar thread on this issue.  I didn't see a resolution, and I've searched the list archives but am not finding information that seems germane to our instance.  Randomly, and infrequently, it seems, users are able to access another user's log in and email account.
>...

I have had exactly the same report from my users in a lab situation.

>         session.cookie_lifetime         0       (the default)
>         session.gc_maxlifetime          1440    (the default)
>         session.gc_probability          10      (up from 1--wanted more frequent clean up)
>         session.save_handler            files   (the default)

I have since shortened session.cookie_lifetime.

I had the following setting:

; Specified here to create the session id.
session.entropy_file = /dev/urandom

; How many bytes to read from the file.
; session.entropy_length = 0

session.entropy_length = 32

and I have now increased the above to 64. But I don't know if it'll happen
again.

Regards,



Jie

Previous message: [imp] Users getting other users' login (session)?
Next message: [imp] Question with regard to apache and php for IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]