[imp] Re: Session ID Duplicates

[Magnus Nordseth]

Jacob Davida:
> Hello,
> 
> I'm not quite sure, but I believe you can help this problem by changing
> the sessions to store the customer IP's. I'm not sure if this is implemented
> in your version or if it will fix the problem, but it's somethign to try.
> 
> Here's the snippit from the conf.php file
> 
> // Should we use always store and validate the IP address of the client (as
> // seen by the web server) in the session? Doing so will help increase
> // security by ensuring that an attacker from another host can not try to
> // hijack the session. Either true or false.
> $conf['auth']['checkip'] = false;

This isn't implemented in RELENG. I started looking at backporting the
code, but I ended up setting session.use_only_cookies = 1. 

The problem at our site was that some users bookmarked webmail with a
sessionid in the URL. Forcing cookies seem to have solved the problem. 

Unfortunatly, it is (at least at the moment) impossible to tell users with
cookies disabled and problems logging in that they must allow cookies.


-- 
Magnus Nordseth