[imp] Session Collisions

Eric Rostetter eric.rostetter at physics.utexas.edu
Thu Mar 6 10:37:36 PST 2003


Quoting Symen Mulders <symen.mulders at plattsburgh.edu>:

> It seems to me that allowing the user to specify their own session key
> is probably a bad idea.

Enable cookies for sessions, and a large amount of this goes away (assuming
the browser supports cookies).

Per the CVS HEAD version of imp/docs/INSTALL:

   Other security steps you can take to increase security include:

   * Use session cookies instead or URL based sessions.
   * Set your php session.entropy_length to a larger value (e.g. 16)
     and session.entropy_file to a random source (e.g. /dev/urandom)
   * Enable and use the php mycrypt extension

> The keys are complex random numbers, so the
> chance of a user guessing another user's key is almost nonexistent, but
> it is easy enough for other bad things to happen by accident, as we
> discovered.

Yes.  Cookies are a bit harder to grab then urls.

> My question is, how important is it that this be changed, or has it been
> changed in Horde 2.2.1/IMP 3.2?

There's been only minor work in this area in CVS HEAD, AFAIK.  The work
has been towards killing the sessions at logout/login...

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the imp mailing list