[imp] Security - user A got into userB's email

[Lachlan Cameron-Smith]

session.entropy_length = 64

I can still reproduce the issue of user B getting into user A's e-mail 
using URLs with session IDs, even with the above setting.

Regards,
Lachlan


Kim Hoffman wrote:

> We have two groups of users:
> 
> 1.  Users who use their own systems
> 2.  Users who share systems (eg. student lab)
> 
> Cookies are OK for those who own their own systems.  However, we think cookies 
> would be unsecure for users who 'share' systems.
> 
> What did you set your 'session.entropy_length = xx' ?  
> Would this make any difference?  
> By setting 'session.entropy_length = xx' to a very high number, would this 
> impact performance?


-- 
Lachlan Cameron-Smith
Senior Systems Specialist, ITS, Adelaide University
lachlan.cameronsmith at adelaide.edu.au

CRICOS Provider Number 00123M
-----------------------------------------------------------
This email message is intended only for the addressee(s)
and contains information that may be confidential and/or
copyright.  If you are not the intended recipient please
notify the sender by reply email and immediately delete
this email. Use, disclosure or reproduction of this email
by anyone other than the intended recipient(s) is strictly
prohibited. No representation is made that this email or
any attachments are free of viruses. Virus scanning is
recommended and is the responsibility of the recipient.