[imp] wrong person's inbox?
Miroslaw Jaworski
mjaw at ipartners.pl
Thu Oct 17 16:36:20 PDT 2002
* Jan Schneider (jan at horde.org) [021017 17:23] wrote:
> Zitat von Liam Hoekenga <liamr at umich.edu>:
>
> > > > We had a user report that he signed in read his email, signed
> > > > out, then signed back in again and was presented w/someone else's
> > > > mailbox.
> > >
> > > It has come up before but none of the reporters was actually able to
> > > reproduce it. It always have been end user reports.
> > > You use session.entropy correctly, don't you?
> >
> > I *think* I've entropy set up correctly. Here are the settings from our
> > php.ini
> > file:
> >
> > session.entropy_length = 16
> > session.entropy_file = /dev/urandom
> >
> > Are these values right? Do I need additional settings?
>
> No, looks good.
Is the random session number the only thing protecting user session?
I know that 16^16 gives quite a big set, and if one thinks it's not
enough one can simply increase entropy_length, significantly lowering
the probability of "same sid generation" case.
But - rare user reports about "hijacked sessions" may be a signal,
that random session numbers are too weak protection.
If i didn't made mistake till now...
Regards
MJ.
--
Miroslaw.Jaworski at ipartners.pl ( Psyborg ) MJ102-RIPE Internet Partners
Server Administration Department Manager
More information about the imp
mailing list