[imp] wrong person's inbox?

Miroslaw Jaworski mjaw at ipartners.pl
Thu Oct 17 16:36:20 PDT 2002


* Jan Schneider (jan at horde.org) [021017 17:23] wrote:
> Zitat von Liam Hoekenga <liamr at umich.edu>:
> 
> > > > We had a user report that he signed in read his email, signed
> > > > out, then signed back in again and was presented w/someone else's
> > > > mailbox.
> > >
> > > It has come up before but none of the reporters was actually able to
> > > reproduce it. It always have been end user reports.
> > > You use session.entropy correctly, don't you?
> > 
> > I *think* I've entropy set up correctly.  Here are the settings from our
> > php.ini
> > file:
> > 
> >     session.entropy_length = 16
> >     session.entropy_file = /dev/urandom
> > 
> > Are these values right?  Do I need additional settings?
> 
> No, looks good.

Is the random session number the only thing protecting user session?

I know that 16^16 gives quite a big set, and if one thinks it's not 
enough one can simply increase entropy_length, significantly lowering
the probability of "same sid generation" case. 

But - rare user reports about "hijacked sessions" may be a signal, 
that random session numbers are too weak protection.

If i didn't made mistake till now...

Regards

MJ.

-- 
Miroslaw.Jaworski at ipartners.pl  ( Psyborg )  MJ102-RIPE  Internet Partners
Server Administration Department Manager



More information about the imp mailing list