[imp] Session Collisions
Eric Rostetter
eric.rostetter at physics.utexas.edu
Thu Mar 6 10:37:36 PST 2003
Quoting Symen Mulders <symen.mulders at plattsburgh.edu>:
> It seems to me that allowing the user to specify their own session key
> is probably a bad idea.
Enable cookies for sessions, and a large amount of this goes away (assuming
the browser supports cookies).
Per the CVS HEAD version of imp/docs/INSTALL:
Other security steps you can take to increase security include:
* Use session cookies instead or URL based sessions.
* Set your php session.entropy_length to a larger value (e.g. 16)
and session.entropy_file to a random source (e.g. /dev/urandom)
* Enable and use the php mycrypt extension
> The keys are complex random numbers, so the
> chance of a user guessing another user's key is almost nonexistent, but
> it is easy enough for other bad things to happen by accident, as we
> discovered.
Yes. Cookies are a bit harder to grab then urls.
> My question is, how important is it that this be changed, or has it been
> changed in Horde 2.2.1/IMP 3.2?
There's been only minor work in this area in CVS HEAD, AFAIK. The work
has been towards killing the sessions at logout/login...
--
Eric Rostetter
The Department of Physics
The University of Texas at Austin
Why get even? Get odd!
More information about the imp
mailing list