[imp] Security - user A got into userB's email

[Lachlan Cameron-Smith]

Lord Apollyon wrote:

>>session.entropy_length = 64
>>
>>I can still reproduce the issue of user B getting into user A's e-mail 
>>using URLs with session IDs, even with the above setting.
> 
> This may actually make your problem worse.  System entropy is a "precious
> resource".  Depending on your host OS, you may be reverting to a really
> crappy pseudo-random pool.  If you have a high volume of users, you are
> probably completely out of "good" entropy pools.  

I can also reproduce the issue on our dev system without 
session.entropy_length set.

> You may wish to turn off "trans_sid", and ensure cookies (at least for
> sessions) are enabled on the workstations.  trans_sid URLs can be pasted
> into another web-browser and "highjack" sessions.

session.use_trans_sid = 0
As I said two e-mails ago, the only solution I've found is to set 
session.use_only_cookies = 1.

Regards,

Lachlan Cameron-Smith
Senior Systems Specialist, ITS, Adelaide University

CRICOS Provider Number 00123M
-----------------------------------------------------------
This email message is intended only for the addressee(s)
and contains information that may be confidential and/or
copyright.  If you are not the intended recipient please
notify the sender by reply email and immediately delete
this email. Use, disclosure or reproduction of this email
by anyone other than the intended recipient(s) is strictly
prohibited. No representation is made that this email or
any attachments are free of viruses. Virus scanning is
recommended and is the responsibility of the recipient.