[imp] Security - user A got into userB's email
Lord Apollyon
implist at paypc.com
Thu Oct 23 18:58:15 PDT 2003
Quoting Lachlan Cameron-Smith <lachlan.cameronsmith at adelaide.edu.au>:
> session.entropy_length = 64
>
> I can still reproduce the issue of user B getting into user A's e-mail
> using URLs with session IDs, even with the above setting.
This may actually make your problem worse. System entropy is a "precious
resource". Depending on your host OS, you may be reverting to a really
crappy pseudo-random pool. If you have a high volume of users, you are
probably completely out of "good" entropy pools.
You may wish to turn off "trans_sid", and ensure cookies (at least for
sessions) are enabled on the workstations. trans_sid URLs can be pasted
into another web-browser and "highjack" sessions.
64 seems way too large, especially on a busy system.
=R=
More information about the imp
mailing list