[imp] wrong person's inbox?

[Jie Gao]

On Thu, 17 Oct 2002, Miroslaw Jaworski wrote:

> Date: Thu, 17 Oct 2002 17:36:02 +0200
> From: Miroslaw Jaworski <mjaw@ipartners.pl>
> To: Jan Schneider <jan@horde.org>
> Cc: imp <imp@lists.horde.org>
> Subject: Re: [imp] wrong person's inbox?
>
> * Jan Schneider (jan@horde.org) [021017 17:23] wrote:
> > Zitat von Liam Hoekenga <liamr@umich.edu>:
> >
> > > > > We had a user report that he signed in read his email, signed
> > > > > out, then signed back in again and was presented w/someone else's
> > > > > mailbox.
> > > >
> > > > It has come up before but none of the reporters was actually able to
> > > > reproduce it. It always have been end user reports.
> > > > You use session.entropy correctly, don't you?
> > >
> > > I *think* I've entropy set up correctly.  Here are the settings from our
> > > php.ini
> > > file:
> > >
> > >     session.entropy_length = 16
> > >     session.entropy_file = /dev/urandom
> > >
> > > Are these values right?  Do I need additional settings?
> >
> > No, looks good.
>
> Is the random session number the only thing protecting user session?
>
> I know that 16^16 gives quite a big set, and if one thinks it's not
> enough one can simply increase entropy_length, significantly lowering
> the probability of "same sid generation" case.
>
> But - rare user reports about "hijacked sessions" may be a signal,
> that random session numbers are too weak protection.

I still had report of the problem from end users even when I increased
session.entropy_length to 32. We are on 64 now, and I haven't heard back
from these users again.

Regards,



Jie